LMS access control with/without ACS integration

Unanswered Question
Aug 4th, 2008

Would it be possible to take away a user's ability to modify/delete device configs in LMS/RME. What roles should be removed from the user's profile? I supposed it'd require taking away everything except Help Desk + Guest.

How will this profile change impact the user's ability to generate reports or schedule NetShow commands?

Are there any benefits (more granular access control, perhaps) by integrating with ACS? Can the ACS integration be used solely for LMS user access control, without having to keep ACS sync'ed with LMS DCR as well?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Joe Clarke Mon, 08/04/2008 - 07:53

You can use the Permissions Report at Common Services > Server > Reports to see what a user given only Help Desk access will be able to do. You might be able to grant Network Operator access depending on how much config visibility you want the user to have.

The benefit of ACS integration is definitely that you get to control LMS roles down to the task level. Additionally, you can control which users can perform which tasks on specific devices. Just because you integrated LMS with ACS does not mean the devices themselves have to use ACS for authentication/authorization. However, all of the devices managed by LMS MUST be clients of the same ACS server. This is the only way LMS will know it is authorized to manage the devices.

yjdabear Tue, 08/05/2008 - 16:46

Network Operator can: ConfigDataExport and

ConfigEditor Edit Config. Can the changes made here be saved back by Network Operator?

It's exactly what I'm afraid of, that whatever devices ACS doesn't have LMS can't manage. That'd place the updatedness of LMS inventory at the mercy of ACS.

yjdabear Tue, 08/05/2008 - 17:34

Also, if LMS has to depend on the ACS it integrates with, can LMS import ACS's device list automatically?

Joe Clarke Tue, 08/05/2008 - 18:09

Yes, LMS can import the device list from ACS. This is one of the external NMS options availabe for a DCR bulk import.

yjdabear Tue, 08/05/2008 - 18:15

Can this import be automated/scheduled on the DCR side, or (export) automaticaly from the ACS end?

Joe Clarke Tue, 08/05/2008 - 18:09

No, Network Operator cannot create Config Editor deployment jobs.

Yes, your concern is valid. If a device is not a client of the ACS server, then LMS will not be able to manage it.

yjdabear Tue, 08/05/2008 - 18:18

Actually, the desire is to take away the ability to modify/delete device configs stored on CiscoWorks itself (vis-a-vis eventually deploying to the actual devices). So it's not desirable the Network Operator can edit-then-save device config on LMS, regardless of the inability to deploy the change. That's what I'm not clear on.


This Discussion