I recently integrated an LMS 3.2 installation with ACS by following the "CiscoWorks LMS integration with Cisco Secure ACS" white paper. I used a similar structure with central administrators and sub-groups (such as "NorCal" in the white paper) which have SupserAdmin rights to a limited set of devices based on an NDG. It works exactly as expected.
A security person on my team has 2 security questions that I'm trying to research the answers.
1. Since the causer Windows account is used to execute all batch jobs, is there any way for someone in the the sub-group "NorCal" to execute a batch job that gives him access to devices outside his designated NGD or does he have the ability to generate reports for devices outside his NDG?
2. If the sub-group "NorCal" is given SuperAdmin rights to the LMS Server NDG as per the White Paper, does this let the sub-group change LMS settings that affect the central administrators?
1. No. As long as that user uses the GUI or CLI tools within LMS, ACS device restrictions will apply. Any violation of that would generally be considered a bug.
2. Yes. If they are granted Super User privileges, they can modify LMS settings. If you remove System Administrator rights, then they will not be able to modify LMS system settings.