Hi Rakesh,
If you are looking for ACS GUI Admin rights who access ACS..... yes you can create the restricted profile in ACS to not to do any modification in ACS. But there some limitations on that... I have pasted the details in the post below.
If you don't want the end users who access network devices, servers or any system that is authenticating via cisco acs can be restricted by giving uncheck on a check box for changing the password by next login.
Usually enable password is also intergrated to the tacacs so even enable uses the same as login password.... You are restricted here to not changing enable password....
Understanding Roles
Roles consist of typical administrator tasks, each with an associated set of permissions. Each administrator can have more than one predefined role, and a role can apply to multiple administrators. As a result, you can configure multiple tasks for a single administrator and multiple administrators for a single task.
You use the Administrator Accounts page to assign roles. In general, a precise definition of roles is the recommended starting point. Refer to Creating, Duplicating, Editing, and Deleting Administrator Accounts for more information.
Assigning Roles
You can assign roles to the internal administrator account. ACS 5.4 provides two methods to assign roles to internal administrators:
Assigning Static Roles
ACS 5.4 allows you to assign the administrator roles statically to an internal administrator account. This is applicable only for the internal administrator accounts. If you choose this static option, then you must select the administrator roles for each internal administrator account manually. When an administrator is trying to access the account, if that administrator is configured in an administrator internal identity store with a static role assignment, only the identity policy is executed for authentication. The authorization policy is skipped. After successful execution of the identity policy, the administrator is assigned with the selected role for the administrator account.
Assigning Dynamic Roles
ACS 5.4 allows you to assign the administrator roles statically to an internal administrator account.
If the administrator account is configured in an external or internal identity store and has a dynamic role assignment, ACS evaluates the authorization policy and gets a list of administrator roles and use it dynamically or Deny Access as the result. If the super admin assigns a dynamic role for an administrator and does not configure the authorization policy, then authorization of that administrator account uses the default value “deny access”. As a result, the authorization for this administrator account is denied. But, if you assign a static role for an administrator, then the authorization policy does not have any impact on authorizing that administrator.
Based on the selected role, ACS authenticates and manages the administrator access restrictions and authentications. If Deny Access is the result of the evaluation, then ACS denies access to the administrator and logs the reason for failure in the customer logs.
Note The ACS web interface displays only the functions for which you have privileges. For example, if your role is Network Device Admin, the System Administration drawer does not appear because you do not have permissions for the functions in that drawer.
Permissions
A permission is an access right that applies to a specific administrative task. Permissions consist of:
- A Resource – The list of ACS components that an administrator can access, such as network resources, or policy elements.
- Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed.
A resource given to an administrator without any privileges means that the administrator has no access to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply to a resource, the read privilege is not available.
HTH
Regards
Karthik
.
Permissions
A permission is an access right that applies to a specific administrative task. Permissions consist of:
- A Resource – The list of ACS components that an administrator can access, such as network resources, or policy elements.
- Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed.
A resource given to an administrator without any privileges means that the administrator has no access to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply to a resource, the read privilege is not available.
If no permission is defined for an object, the administrator cannot access this object, not even for reading.
Note You cannot make permission changes.
Predefined Roles
Table 16-1 shows the predefined roles included in ACS:
Role | rivileges |
|---|---|
ChangeAdminPassword | This role is intended for ACS administrators who manage other administrator accounts. This role entitles the administrator to change the password of other administrators. |
ChangeUserPassword | This role is intended for ACS administrators who manage internal user accounts. This role entitles the administrator to change the password of internal users. |
NetworkDeviceAdmin | This role is intended for ACS administrators who need to manage the ACS network device repository only, such as adding, updating, or deleting devices. This role has the following permissions:
|
PolicyAdmin | This role is intended for the ACS policy administrator responsible for creating and managing ACS access services and access policy rules, and the policy elements referenced by the policy rules. This role has the following permissions:
|
ReadOnlyAdmin | This role is intended for ACS administrators who need read-only access to all parts of the ACS user interface. This role has read-only access to all resources |
ReportAdmin | This role is intended for administrators who need access to the ACS Monitoring and Report Viewer to generate and view reports or monitoring data only. This role has read-only access on logs. |
SecurityAdmin | This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy. This role has the following permissions:
|
SuperAdmin | The Super Admin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account. This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources. |
SystemAdmin | This role is intended for administrators responsible for ACS system configuration and operations. This role has the following permissions:
|
UserAdmin | This role is intended for administrators who are responsible for adding, updating, or deleting entries in the internal ACS identity stores, which includes internal users and internal hosts. This role has the following permissions:
|
Uncheck change password on next login is one way under the account.
Secondly, you can set the password never to expire using the checkbox (ACS 5.5 feature)
