Account roles - read only to configs

bberry · ‎03-06-2014

Hello,

We are a new user with Prime and have a couple questions. It seems to be quite a power yet complex tool so figure we have a ways to go.

I have the system up and running and am able to do a discovery and pull the configs so it seems basic operation is there. I still need to work on the change logging stuff but figure I need to get Tacacs up and running as part of that. My question here is that I will also be implementing ISE and it to uses Tacacs or at least AAA for its operation. Is there anything I need to be aware of f getting both to work at the same time on the same device?

Secondly - Are there any recommendations or suggestions on the additional roles for users I might want to create. I already have a question from our security group requesting read access to the configs. They would like to use this tool to make sure the network devices are hardened agains a security standard but do not waht to accidently change something that will affect the network.

Thirdly - I am looking into getting Prime to backup configs as changes are made instead of simply on a periodic basis. I figure I need to integrate syslog or at least some type of trap to key on when an archive is needed. Would that also affect any external syslogging currently in place? i.e. logging to syslog server for regular daily device operation?

I am sure We will have more questions as we go so thanks in advance for teh assistance. Any recommendations on further documentation of fully setting up the system or recommendations on what needs to be setup on the system are appreciated.

Brent

Vinod Arya · ‎03-06-2014

Ideally there is no issues in Prime and ISE working together with devices simultaenously. These softwares, devices OS and Tacacs/AAA are designed for multitasking usually.

The kind of access in the Configs collected and saved from devices depends upon the user priviledges. You can give Help desk priviledges to those whom you dont want to be able to make any changes to device configs using Cisco Prime Infrastructure.

For easy management, make groups with custom access and privledges.

For more details check :

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-0/administrator/guide/PIAdminBook/maint_user_access.html#pgfId-1056190

In cisco prime LMS syslog messaged received by it was used to do auto-config backup. Cisco prime Infra doesn't have similar syslog management yet. You have to schedule configuration backup.

For more details check :

http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/2.0/administrator/guide/ManageData_ps12239_TSD_Products_Administration_Guide_Chapter.html#wp1063494

-Thanks
Vinod
**Rating Encourages contributors, and its really free. **

-Thanks Vinod **Rating Encourages contributors, and its really free. **

bberry · ‎03-10-2014

Vinod,

Is there anything anywhere that lists details for the task permssions? It looks like there are a lot of "options" under the catagories but nothing that really helps me know what each one allows. It looks like I have to modify a "user defined group and there is no way to create a new group unless I am just missing it.

Secondly any guides or samples anywhere on diffeent user groups such as a "helpdesk"? Looking mostly for examples of what others have created.

Brent

bberry · ‎01-28-2015

I just love it when a project priorities come and go. I am now back to working on the task lists above. Does anyone know where I might can find a configuration guide or documentation on creating user groups as in the secondary task above? The admin guide gives you steps for different pieces but I am looking for something to help me work through the process. They are now back to looking for a way to access the configurations in prime for various reasons but not be able to break anything on accident if they have full admin type rights. They also only want access to configurations and nothing else in prime if possible.

Brent