LMS 3.01 / ACS 4.1 - Device Management Permission / Issue

Unanswered Question
Aug 19th, 2010
User Badges:

Hi there,


We run a secured network where all devices use TACACS+ to ACS and users have different permisisons on the end devices from read only, limited changes (port up/down) to full admin.


We have LMS 3.01 integrated to ACS and again different users have different permissions with LMS to match their rights on the network.


We have an issue where we keep getting devices in conflicting, alias or pre-deployed state.


Within the RME home page they show up on the left hand side and our users want to be able to click on the numbers and open up the Device Management centre list of devices in each state - see first attachment.


Working in a development environment and looking at the 'failed attempts' in ACS I can see the permission it needs is "Devicve Management' - see 2nd attachment.


If I enable this, when a user clicks on an entry withi nthe Device Management Status window in the RME homepage it opens up the Device Management window BUT (and this is a big but) it allows EXPORT of the devices and credentials - see last attachment.


This is categorically unacceptable - exporting from the DCR would export the ACS credentials used by LMS which have full rights on the network and exposing these to any users blows away all the security we have with different users having different permissions.


Is there any way to get a list of devices in the various states without enabling the RME 'Device Management' permission and destroying our security model?


Thanks

Michael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Fri, 08/20/2010 - 22:01
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Unfortunately, the Export feature is tied to this role and cannot be separated.  There is no other way to get the specific list of devices in each state.

Actions

This Discussion

Related Content