Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Blue

LMS access control with/without ACS integration

Would it be possible to take away a user's ability to modify/delete device configs in LMS/RME. What roles should be removed from the user's profile? I supposed it'd require taking away everything except Help Desk + Guest.

How will this profile change impact the user's ability to generate reports or schedule NetShow commands?

Are there any benefits (more granular access control, perhaps) by integrating with ACS? Can the ACS integration be used solely for LMS user access control, without having to keep ACS sync'ed with LMS DCR as well?

9 REPLIES
Cisco Employee

Re: LMS access control with/without ACS integration

You can use the Permissions Report at Common Services > Server > Reports to see what a user given only Help Desk access will be able to do. You might be able to grant Network Operator access depending on how much config visibility you want the user to have.

The benefit of ACS integration is definitely that you get to control LMS roles down to the task level. Additionally, you can control which users can perform which tasks on specific devices. Just because you integrated LMS with ACS does not mean the devices themselves have to use ACS for authentication/authorization. However, all of the devices managed by LMS MUST be clients of the same ACS server. This is the only way LMS will know it is authorized to manage the devices.

Blue

Re: LMS access control with/without ACS integration

Network Operator can: ConfigDataExport and

ConfigEditor Edit Config. Can the changes made here be saved back by Network Operator?

It's exactly what I'm afraid of, that whatever devices ACS doesn't have LMS can't manage. That'd place the updatedness of LMS inventory at the mercy of ACS.

Blue

Re: LMS access control with/without ACS integration

Also, if LMS has to depend on the ACS it integrates with, can LMS import ACS's device list automatically?

Cisco Employee

Re: LMS access control with/without ACS integration

Yes, LMS can import the device list from ACS. This is one of the external NMS options availabe for a DCR bulk import.

Blue

Re: LMS access control with/without ACS integration

Can this import be automated/scheduled on the DCR side, or (export) automaticaly from the ACS end?

Cisco Employee

Re: LMS access control with/without ACS integration

Yes, it can be scheduled on the LMS side.

Cisco Employee

Re: LMS access control with/without ACS integration

No, Network Operator cannot create Config Editor deployment jobs.

Yes, your concern is valid. If a device is not a client of the ACS server, then LMS will not be able to manage it.

Blue

Re: LMS access control with/without ACS integration

Actually, the desire is to take away the ability to modify/delete device configs stored on CiscoWorks itself (vis-a-vis eventually deploying to the actual devices). So it's not desirable the Network Operator can edit-then-save device config on LMS, regardless of the inability to deploy the change. That's what I'm not clear on.

Cisco Employee

Re: LMS access control with/without ACS integration

Then you'd have to drop back to Help Desk, or use ACS.

178
Views
14
Helpful
9
Replies
CreatePlease login to create content