It looks like I may have locked myself out.
ACS was set up, using a new login in ACS but not creating that account in LMS itself. Registration and all went fine with our ACS 3.3 server, but I noticed I now have non-admin rights when I log on under my own account, tacacs is working fine. I am set up in ACS as a System Administrator. What I can't get to are various admin changes, and device views in LMS and can't seem to make it use a local account that I know is an admin now that its in ACS mode. Other than numerous "you don't have permissions to view this or that" messages, the ACS status of "CiscoWorks System Identity User Configuation in ACS Not all privileges assigned" is displayed.
At this point, I appear to be locked out of admin mode as I can't even get to the AAA set up to change it back to local Ciscoworks mode to get into the admin features. Is there a work around or way to fall back?
It sounds like integration did not work properly. For integration to be successful, you will first have to create a user in ACS which is a member of a group that has all rights to LMS. You will need to create a Super Admin role manually in ACS for every application in order to perform this task. Full administrators of LMS should also be added to this ACS group so that they have access to all tasks.
As for backing out of integration, you can run the NMSROOT/bin/ResetLoginModule.pl script, and this will revert you to local mode.
Thanks. Here's more info and another question before I procede.
I figured out logging on as the ACS CW user actually gave me perms to view and change each of the shared components. In each, the System Administrator role already has carte blanche permissions in each LMS app. Then I looked at my account and had to add the LMS registered apps to my list so that I can admin them.
Since I made that change, do I need to restart either ACS or the Daemon Manager and will that give me the correct perms in LMS? I'm not sure why I'd need to make a super admin in each app if the System Administrator role already has every box checked for each app. Does that make sense?
The System Admin role does NOT have the necessary permissions to do everything in LMS. You MUST create a custom role for each application, and allow that role access to all tasks. You SHOULD NOT change any of the pre-defined roles.
Any group changes you make will require you to restart ACS. However, changes in LMS should be reflected by simply logging out and logging back in.
OK, thanks. Just so I'm crystal clear, I'll add a new role in ACS under Shared Profile Components-[LMS component] as "superadmin". Then check all pieces/parts within it. Do this for each LMS component.
Then go into Group Setup in ACS under the respective existing group with my account in it, and assign "superadmin" privileges under each LMS component within that list?
I guess there are some perms that aren't visible here since System Admin is looking identical to what I'll be setting up for SuperAdmin, at least in the GUI?
Your procedure is correct.
If you are seeing System Admin as having all boxes checked for all components, then someone has modified this role. For Common Services, System Admin should have all boxes checked. However, for apps like RME, Campus, and DFM, there should be unchecked boxes.
Thanks again. I reverted to CW local then back again and so far it appears to be jiving with what is set up in ACS.
One other question, when I run a permission report in Common Services and all the stock groups show up, should the newly created "superadmin" group also appear here now as well?
Also, the System Admin group now does not have everything checked in ACS.
The Permissions Report only references that static roles that are locally configured in CiscoWorks. Any additional custom roles you create in ACS will not be reflected. You will have to refer back to ACS to figure out what those roles can do.
I saw that is clearly stated at the top of the report afterwards. Thanks.
After re-registering into ACS mode, I find that my account does have more perms but I still appear to only have System Admin level rights and not the SuperAdmin I created. I've restarted both ACS and Daemon Manager since and CS home page still shows that ACS message of "Not all priveleges assigned". Is there something with the System Identity in LMS that could be causing this problem? I am seeing an "Author Failed" message in ACS in the Failed Logons list for the System Identity account.
Yes, System Identity authentication and authorization is critical. Make sure the system identity user is in the correct ACS group, and make sure the password is correct under Common Services > Server > Security > System Identity Setup.
Also, if you are using network device groups on ACS, the SIU must have access to ALL devices AND access to the CiscoWorks server itself. If the device group and the LMS server group are separate NDGs, the SIU must have access to BOTH.