Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

Access Restriction in CPO?

Hi Team,

Currently we are facing two different issues w.r.t Access Restriction in CPO.

Issue 1 : User needs to be added to Admin group inorder to have access to all the features of CPO.

Description : We added a new user to the groups TEO Definition Authors and TEO Operators on one of our CPO servers. When the user is trying to create a new target, under advanced properties, no options are being listed for default patterns type. Only when we added the user to the TEO Administrators group, the user could create the target successfully.  Is there anyway on we can restrict the user not to have admin access and still be able to have access to all developer features?

Issue 2 : Windows user in CPO

Description : One of our clients noticed that inorder to add a windows user in CPO, that user had to be part of the administration group of the host and this gives access to this same windows user to the TEO windows host as Admin.

We believe that the above two issues are similar and what steps we can take to restrict the access to the users. It is extremely important that the users using our CPO environment have access to all the needed features as developers without being part of the Admin group.

Appreciate your help.

Thanks,
Greg

  • Cisco Process Orchestrator
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Access Restriction in CPO?

To add users they should be a part of the TEO administrators group. Or you can create your own customized security with create/update for run time users.

For windows runtime users, those users must be able to login interactively with the box and must have login as a service/login as batch in local/group security policy.

--Shaun Roberts shaurobe@cisco.com CIAC Adoption Pilot Engineering Lead
7 REPLIES
Cisco Employee

Access Restriction in CPO?

For #1, go under administration->security and define a new security group and give them whatever permissions you desire for them to have. It will have to be a custom security group, then just add them to it in windows.

For #2, are you referring to the run-time user or the user creating it?

Probably best to open up a TAC case as well with your issues.

--Shaun Roberts shaurobe@cisco.com CIAC Adoption Pilot Engineering Lead
Cisco Employee

Access Restriction in CPO?

Thanks Chris for your reply. I am working out the options for #1 to define appropriate permissions for the users.

For #2, I am referring to the run-time user.

Regards,

Greg

Cisco Employee

Access Restriction in CPO?

To add users they should be a part of the TEO administrators group. Or you can create your own customized security with create/update for run time users.

For windows runtime users, those users must be able to login interactively with the box and must have login as a service/login as batch in local/group security policy.

--Shaun Roberts shaurobe@cisco.com CIAC Adoption Pilot Engineering Lead
Cisco Employee

Access Restriction in CPO?

Hi Shaun,

We faced a different issue with the access restriction in place. We created TEO Definition Authors group for all the developers in our CPO Dev platform. Access for this group is restricted to only few operations and objects. We granted "ALL" for very few objects.

With these restrictions, while sending an email, the users encountered an "Read" "Use" error with the Adapter. We added Adapter and Adapter Settings objects in the ALL operations category. It seemed to work for a while and a week later they faced the same issue, even though  the permissions are available to the groups.

All the AD group access and Roles are in place. At the end, I added  the objects Adapter and Adapter settings to an already existing Type with the operations as "Read" and "Use". This fixed the issue.

However it didnt sound convincing as why it didnt work with the same perimission which was enabled as part of "ALL" operations.

.Any thoughts?

Regards,

Greg

Cisco Employee

Access Restriction in CPO?

something else must have changed to change up the way it was functioning.

You must have access to the adapter to use it's activities.

Email adapter in this case if you are sending email.

--Shaun Roberts shaurobe@cisco.com CIAC Adoption Pilot Engineering Lead
Cisco Employee

Access Restriction in CPO?

Same thing happened again today. Even after the "Read" "Use" settings added again for adapter, adapter settings, Users faced the same problem.

This time, I de-selected the settings from both the TYPES and just added it back in the first category. It worked and the users could use the adapter. None of the workflows are changed, nor the settings. Its only that servers are restarted once for maintenance activities.

Is this a bug in the platform, that we need to take up with the TAC team?

Appreciate your response.


Regards,
Greg

Cisco Employee

Access Restriction in CPO?

I'm not aware of a bug, but yes open a TAC case and someone from support can worth with you to verify if a bug exists and follow up with engineering.

-shaun

--Shaun Roberts shaurobe@cisco.com CIAC Adoption Pilot Engineering Lead
616
Views
0
Helpful
7
Replies
This widget could not be displayed.