Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS Administration restrictions not 100%

I am attempting to setup individual admin accounts for customers to admin their VPN users, and ran into an interesting loophole. Under each user there is the Advanced settings where the NAR's are, and that user can access the other customers NAR's and gain VPN access to their devices. How can I restrict those users to only add/remove users under his group without showing the rest of the permissions?

3 REPLIES

Re: ACS Administration restrictions not 100%

I don't think so that is possible. Those admin users will be able to view all configuration for that user.

Read access to users in these groups.

Enables read-only access to users in the Editable groups.

When the Add/Edit users in these groups option is enabled, it overrides the settings in the Read access to users in these groups option.

If the Add/Edit users in these groups option is checked (enabled), it does not matter if this setting is enabled or disabled. The Add/Edit users in these groups setting overrides this setting, and the administrator can edit all users in the Editable groups.

If the Add/Edit users in these groups option is unchecked (disabled):

* Check this check box to grant the administrator read access to the users in the Editable groups. In this case, the administrator cannot submit changes.

* When unchecked, administrators cannot view users.

This has to be feature request.

Regards,

~JG

Do rate helpful posts

New Member

Re: ACS Administration restrictions not 100%

I think I know where you are going, but the admin user doesn't have access to users in the other groups, just in the group assigned, the problem I see is that under a user account, the other groups show up, and he can add a user to that group, and then that user would be able to log into the other groups VPN servers.

Where would I send in a feature request for this? I am a bit surprised it hasn't come up before. The ACS I am finding very useful for customer VPN's who don't have their own RADUIS server, and where we admin their firewall.

Re: ACS Administration restrictions not 100%

No, if you allow admin user to add/edit user to two group then only those two groups would show up in the user set up.

And that admin user will not be able to open group setup page.

See attachment

117
Views
0
Helpful
3
Replies