i had the same problem some time ago in my test environment.
Be sure you have setup the access to all devices in Ani-DB.
My goal was a setup for different users. And every user should see only a portion of the network also in Campus Manager. Especially in Topology View. I am not 100 percent sure but i did the following:
I setup Network device Groups (NDG) in ACS and if the user only has access to some devices this message appeared. So i had to give the users all devices back and it worked.
The reason is that the ANI-DB is not client capable.
In other words: You can not restrict the view of CM or the portion of the ANI-DB to access. You can only restrict the behaviour of the CM.
Here are some pieces of my mails with TAC:
From me to TAC
a) i want a special person give a restricted access and do not want this person to browse or gather information about my entire network
b) i want to give some persons special roles to fullfill their tasks. E.g. Some persons may access devices via ssh or telnet while others may be able to deploy IOS Version but should not be able to acces the devices on the CLI.
c) In worldwide deployed networks it should be possible to setup special views for special areas or network segments.
a) As we actual know the view cannot be restricted. But unfortunteley i can gather information from this view, even if the access to the device is restricted. to a restricted device it is still possible to view the device attributes. The Port attribute not. Hmmm.
b) This task may be possible. But on the other hand on a restricted device i can use the pulldown menu and open a telnet window to the device.
c) Is it possible to define different Maps within Topology View. I?ve been asked this from many costumers. These costumer thing about Maps like you know from HP OpenView Network Node Manager and Spectrum.
Answer from TAC
As such there are no tasks available to restrict the telnet access and from launching the device attributes in ACS.
This is how the design was done in ACS simply because there is no way that the user could affect the security.
Even if we provide a restriction out there, one can very well access the device from his desktop using the telnet if one knows the credentials. For these reasons these tasks were not added to the ACS server. So there is no way we can restrict any user from performing these tasks from Ciscoworks integrated with ACS.
For the 3 rd question we dont have anything called as a per user basis for the topology devices views. Hence all the users can/cannot view the entire network based on the permission that each one holds.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...