Security Questions - LMS 3.2 and ACS integration

Answered Question
Oct 8th, 2009

Hi,

I recently integrated an LMS 3.2 installation with ACS by following the "CiscoWorks LMS integration with Cisco Secure ACS" white paper. I used a similar structure with central administrators and sub-groups (such as "NorCal" in the white paper) which have SupserAdmin rights to a limited set of devices based on an NDG. It works exactly as expected.

A security person on my team has 2 security questions that I'm trying to research the answers.

1. Since the causer Windows account is used to execute all batch jobs, is there any way for someone in the the sub-group "NorCal" to execute a batch job that gives him access to devices outside his designated NGD or does he have the ability to generate reports for devices outside his NDG?

2. If the sub-group "NorCal" is given SuperAdmin rights to the LMS Server NDG as per the White Paper, does this let the sub-group change LMS settings that affect the central administrators?

Thanks!

--Max

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 7 years 3 months ago

1. No. As long as that user uses the GUI or CLI tools within LMS, ACS device restrictions will apply. Any violation of that would generally be considered a bug.

2. Yes. If they are granted Super User privileges, they can modify LMS settings. If you remove System Administrator rights, then they will not be able to modify LMS system settings.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Joe Clarke Thu, 10/08/2009 - 08:34

1. No. As long as that user uses the GUI or CLI tools within LMS, ACS device restrictions will apply. Any violation of that would generally be considered a bug.

2. Yes. If they are granted Super User privileges, they can modify LMS settings. If you remove System Administrator rights, then they will not be able to modify LMS system settings.

Actions

This Discussion