Solved: CSM : System Identity User role

thomas.wohrer · ‎04-13-2010

Hi,

I have a quick question regarding the system identity user and its role. What exactly is this user doing?

"System Identity setup helps you create a "trust" user on servers that are part of a multi-server setup. This user enables communication among servers that are part of a domain." This is from the help topic of CiscoWorks.

In our case, we have a CSM server (3.3.1), which replicates to a second server using Symantec Veritas, but there is only one server active at a time. So what is the purpose of this user?

Are there tasks that can only be performed by this user?

yjdabear · ‎04-13-2010

The "multi-server setup" in the Help refers to the master-slave multi-server trust setup supported by DCR/Commen Services, so it obviously doesn't apply to your scenario of "multi-server" replication via a third party sw (Veritas). Furthermore, if your CSM is not using Cisco Secure ACS for authentication, you only need to be concerned with the local significance of the System Identity User, according to:

http://ciscosystems.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.0.2/installation/guide/xhelpref.html

•You can choose whether to enter the System Identity username and password after installation. Communication among your servers relies on a trust model that uses certificates and shared secrets. The System Identity login is trustworthy to other servers when you use a multiserver setup and therefore facilitates communication between servers that are part of a domain. There can be one System Identity login account on a server.

•If you use Cisco Secure Access Control Server (ACS) for user authentication, you must use it to assign all CiscoWorks privileges to the System Identity user. If you do not use ACS for user authentication, the System Identity user must be a local user with system administrator privileges.

View solution in original post

yjdabear · ‎04-13-2010

The "multi-server setup" in the Help refers to the master-slave multi-server trust setup supported by DCR/Commen Services, so it obviously doesn't apply to your scenario of "multi-server" replication via a third party sw (Veritas). Furthermore, if your CSM is not using Cisco Secure ACS for authentication, you only need to be concerned with the local significance of the System Identity User, according to:

http://ciscosystems.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.0.2/installation/guide/xhelpref.html

•You can choose whether to enter the System Identity username and password after installation. Communication among your servers relies on a trust model that uses certificates and shared secrets. The System Identity login is trustworthy to other servers when you use a multiserver setup and therefore facilitates communication between servers that are part of a domain. There can be one System Identity login account on a server.

•If you use Cisco Secure Access Control Server (ACS) for user authentication, you must use it to assign all CiscoWorks privileges to the System Identity user. If you do not use ACS for user authentication, the System Identity user must be a local user with system administrator privileges.

thomas.wohrer · ‎04-14-2010

Thanks for your reply, yjdabear.

Actually the reason why I was asking this is because the customer who has this server told me he could not import a new device from a config file with his regular TACACS account (we are in ACS mode).

The thing is, he managed to do it by using the System Identity User account. Weird thing is, both System Identity and his TACACS account belong to the same ACS user group, which has super admin role for CiscoWorks and System Admin role for CSM. Both accounts inherits rights from the group settings. He can style import devices using network and everything with his regular account...

yjdabear · ‎04-14-2010

Hallo Thomas,

Since I'm only using ACS for authentication but not authorization in my environment, I may be completely off base below. I'm thinking that the difference your customer noted might be explained by the screenshot seen at the following URL (Figure 15. Local User Setup):

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html#wp9000205

It describes LMS-ACS integration, but the same concept applies to CSM-ACS.

I'm guessing that his TACACS ID is either not defined as a local user in CSM's Common Services, or not assigned the same set of privileges (Approver, System Administrator, etc.) as the System Identity User. Yes, you have noted that his TACACS ID is in the same "super admin" group in ACS. Here, I speculate that ACS nonetheless checks with Common Services regarding privileges each "user ID" is assigned locally. Since his TACACS ID is not defined with the same access as the System Identity User ID in Commen Services, he could not import from file (lack of "System Administrator" privilege possibly). His ID might be assigned "Network Administrator" privilege locally, which could explain his ability to import from the network.

Again, that's just my empirical speculation. If you have further details and/or questions, I suggest posting a thread at the other Network Management forum, for better chance of getting a good answer.

https://supportforums.cisco.com/community/netpro/network-infrastructure/network-management

thomas.wohrer · ‎04-15-2010

Hi,

you are right by saying that his user id is not defined locally on Common Services. I assumed that since we are in ACS mode, ACS was doing all the job regarding authen and authorization and that we did not need a local user database. I will need to perform some tests with his user id created locally, but using ACS would then be useless if we need to maintain 2 user bases

Thanks for the reply.

yjdabear · ‎04-19-2010

I agree with your thoughts. I had thought so, too.

Again, I suggest posing the same question at the other Network Management forum for a more definitive explanation:

https://supportforums.cisco.com/community/netpro/network-infrastructure/network-management