Thanks. Here's more info and another question before I procede.

I figured out logging on as the ACS CW user actually gave me perms to view and change each of the shared components. In each, the System Administrator role already has carte blanche permissions in each LMS app. Then I looked at my account and had to add the LMS registered apps to my list so that I can admin them.

Since I made that change, do I need to restart either ACS or the Daemon Manager and will that give me the correct perms in LMS? I'm not sure why I'd need to make a super admin in each app if the System Administrator role already has every box checked for each app. Does that make sense?

The System Admin role does NOT have the necessary permissions to do everything in LMS. You MUST create a custom role for each application, and allow that role access to all tasks. You SHOULD NOT change any of the pre-defined roles.

Any group changes you make will require you to restart ACS. However, changes in LMS should be reflected by simply logging out and logging back in.

OK, thanks. Just so I'm crystal clear, I'll add a new role in ACS under Shared Profile Components-[LMS component] as "superadmin". Then check all pieces/parts within it. Do this for each LMS component.

Then go into Group Setup in ACS under the respective existing group with my account in it, and assign "superadmin" privileges under each LMS component within that list?

I guess there are some perms that aren't visible here since System Admin is looking identical to what I'll be setting up for SuperAdmin, at least in the GUI?

Your procedure is correct.

If you are seeing System Admin as having all boxes checked for all components, then someone has modified this role. For Common Services, System Admin should have all boxes checked. However, for apps like RME, Campus, and DFM, there should be unchecked boxes.

Thanks again. I reverted to CW local then back again and so far it appears to be jiving with what is set up in ACS.

One other question, when I run a permission report in Common Services and all the stock groups show up, should the newly created "superadmin" group also appear here now as well?

Also, the System Admin group now does not have everything checked in ACS.

The Permissions Report only references that static roles that are locally configured in CiscoWorks. Any additional custom roles you create in ACS will not be reflected. You will have to refer back to ACS to figure out what those roles can do.

I saw that is clearly stated at the top of the report afterwards. Thanks.

After re-registering into ACS mode, I find that my account does have more perms but I still appear to only have System Admin level rights and not the SuperAdmin I created. I've restarted both ACS and Daemon Manager since and CS home page still shows that ACS message of "Not all priveleges assigned". Is there something with the System Identity in LMS that could be causing this problem? I am seeing an "Author Failed" message in ACS in the Failed Logons list for the System Identity account.

Yes, System Identity authentication and authorization is critical. Make sure the system identity user is in the correct ACS group, and make sure the password is correct under Common Services > Server > Security > System Identity Setup.

Also, if you are using network device groups on ACS, the SIU must have access to ALL devices AND access to the CiscoWorks server itself. If the device group and the LMS server group are separate NDGs, the SIU must have access to BOTH.

That did the trick. It looks like everything is fully integrated at this point. Thanks for all your help.