Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
24
Helpful
5
Replies

cisco works lms 2.51- user defined groups

guenter.strasser
Level 1
Level 1

‎04-25-2006 07:54 AM

does works support user defined groups on which i am able to define a view for certain users. i have some locations and every location has it's on network admin, every network admin should only see his devices but not the whole network

regards, guenter

Labels:
0 Helpful
5 Replies 5

nhabib
Level 9
Level 9

‎04-25-2006 08:09 AM

If you integrate it with ACS, then yes. The authorization would be done on the ACS.

miheg
Level 5
Level 5
In response to nhabib

‎04-26-2006 02:29 AM

Really? Let’s make this explicit.

So then the local admin will

only see his devices ?

or

only be authorized to connect to his devices?

Is this for all applications in LMS? How does this work? Will it somehow get the groups from the ACS?

I will have to do this one of these days, but I have serious doubts about some differences between what the customer thinks he will get, and what he actually will get.

Problem is they will blame it on me.

Michel

Jason Davis
Cisco Employee
Cisco Employee
In response to miheg

‎04-26-2006 10:20 AM

When you integrate CiscoWorks LMS 2.5 with CiscoSecure ACS (4.0 preferably) it works this way...

User account name in LMS matches a user account name in ACS. User's password in ACS is used to authenticate user in LMS.

User's ACS profile define what ACS User Group they are in.

ACS User Group can define which Network device groups (NDGs) the user/user-group has access to. So if the user (on LMS) tries to access devices that aren't permitted to his ACS user group (no NDG access), then he won't see the devices.

Another method for control is the use of ACS Shared Profile Components whereby you can develop custom user roles for CW-LMS that go beyond the 5 standard LMS roles. For each application in LMS you'll see that ACS Shared Profile Components would allow you to assign permissions (or remove them, as desired). This custom role is associated to a user group, etc, etc.

miheg
Level 5
Level 5
In response to Jason Davis

‎04-26-2006 10:52 PM

Thank you Jason,

I can see how ACS will allow/disallow access to devices, what I don't see is how this will appear in ciscoworks.

Will it mean he will see everything and just get a popup on everything he’s not allowed to do or see or will simply see everything he's allowed to see.

I hope the difference is clear.

The later would appear to the user as a “normal” ciscoworks with just his devices in.

Regards,

Michel

0 Helpful

Jason Davis
Cisco Employee
Cisco Employee
In response to miheg

‎04-27-2006 05:38 AM

For devices the user doesn't have access to, the Common Services Device Credential Repository (DCR) device picker won't show those devices.

For devices they do have access to (from an ACS perspective), they will see them in the device picker.

Conversely, if you extend the model to using custom user roles between LMS and ACS, if the ACS system has a shared profile component setting for RME that says "no access to NetConfig" then the user won't see NetConfig in the CiscoWorks LMS launch framework.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents