Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
14
Helpful
9
Replies

LMS access control with/without ACS integration

yjdabear
VIP Alumni
VIP Alumni

‎08-04-2008 07:37 AM

Would it be possible to take away a user's ability to modify/delete device configs in LMS/RME. What roles should be removed from the user's profile? I supposed it'd require taking away everything except Help Desk + Guest.

How will this profile change impact the user's ability to generate reports or schedule NetShow commands?

Are there any benefits (more granular access control, perhaps) by integrating with ACS? Can the ACS integration be used solely for LMS user access control, without having to keep ACS sync'ed with LMS DCR as well?

Labels:
0 Helpful
9 Replies 9

Joe Clarke
Cisco Employee
Cisco Employee

‎08-04-2008 07:53 AM

You can use the Permissions Report at Common Services > Server > Reports to see what a user given only Help Desk access will be able to do. You might be able to grant Network Operator access depending on how much config visibility you want the user to have.

The benefit of ACS integration is definitely that you get to control LMS roles down to the task level. Additionally, you can control which users can perform which tasks on specific devices. Just because you integrated LMS with ACS does not mean the devices themselves have to use ACS for authentication/authorization. However, all of the devices managed by LMS MUST be clients of the same ACS server. This is the only way LMS will know it is authorized to manage the devices.

yjdabear
VIP Alumni
VIP Alumni
In response to Joe Clarke

‎08-05-2008 04:46 PM

Network Operator can: ConfigDataExport and

ConfigEditor Edit Config. Can the changes made here be saved back by Network Operator?

It's exactly what I'm afraid of, that whatever devices ACS doesn't have LMS can't manage. That'd place the updatedness of LMS inventory at the mercy of ACS.

0 Helpful

yjdabear
VIP Alumni
VIP Alumni
In response to yjdabear

‎08-05-2008 05:34 PM

Also, if LMS has to depend on the ACS it integrates with, can LMS import ACS's device list automatically?

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to yjdabear

‎08-05-2008 06:09 PM

Yes, LMS can import the device list from ACS. This is one of the external NMS options availabe for a DCR bulk import.

0 Helpful

yjdabear
VIP Alumni
VIP Alumni
In response to Joe Clarke

‎08-05-2008 06:15 PM

Can this import be automated/scheduled on the DCR side, or (export) automaticaly from the ACS end?

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to yjdabear

‎08-05-2008 06:20 PM

Yes, it can be scheduled on the LMS side.

Joe Clarke
Cisco Employee
Cisco Employee
In response to yjdabear

‎08-05-2008 06:09 PM

No, Network Operator cannot create Config Editor deployment jobs.

Yes, your concern is valid. If a device is not a client of the ACS server, then LMS will not be able to manage it.

0 Helpful

yjdabear
VIP Alumni
VIP Alumni
In response to Joe Clarke

‎08-05-2008 06:18 PM

Actually, the desire is to take away the ability to modify/delete device configs stored on CiscoWorks itself (vis-a-vis eventually deploying to the actual devices). So it's not desirable the Network Operator can edit-then-save device config on LMS, regardless of the inability to deploy the change. That's what I'm not clear on.

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to yjdabear

‎08-05-2008 06:21 PM

Then you'd have to drop back to Help Desk, or use ACS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents