cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
725
Views
0
Helpful
6
Replies

LMS / ACS NetConfig/NetShow Rights assignment

Mike Bailey
Level 1
Level 1

Sorry for yet another question.

As I've discussed before we are implementing LMS 3.01 integrated with ACS 4.1.4 in a secure environment with strict security rules.

We've hit another security related issue.

Within ACS we've setup custom roles for LMS functions to provide a secure role based separation model (e.g. each roles has rights to perform their role and nothing more).

NetConfig and NetShow have the ability to assign tasks to others, which breaks this model.

e.g. someone with access to NetConfig can assign a task to someone who shouldn't be allowed to make changes on the network!

Hence within ACS we removed the rights:

RME, Config Management, NetConfig, NetConfig Assign Tasks

RME, Tools, Network Show Commands, Assign Netshow command Sets to Users

Disabling these seem to render both NetConfig and NetShow useless (no command sets to choose from, hence no ability to use the tool).

How do we deal with this? Are we doing something wrong?

Surely we don't have to give people the ability to assign rights to other people who shouldn't be allowed them to make the tools work?

Thanks

Michael

1 Accepted Solution

Accepted Solutions

Sorry, this has to be done in LMS as these Netconfig templates are only known to LMS.

View solution in original post

6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

The ability to assign tasks to users is typically reserved for administrators. It is not required to be able to use the application. If you have assigned your users the tasks Netconfig Jobs, Netconfig Create Jobs, and Netconfig User Defined Tasks, those users should be able to see tasks and create jobs in Netconfig. Please post a screenshot showing what roles you've assigned, and what you're seeing (or not seeing) in RME.

Apologies, have been on vacation.

Document attached with screenshots showing the roles within ACS and issues within LMS.

Okay, I understand now. What you need to do as an administrator is assign the tasks each user will need under RME > Config Mgmt > Netconfig > Assigning Tasks. Once you do that, they will be able to see their assigned tasks without needing the Assign Tasks privilege.

Ahh that makes more sense.

Is there any way of doing this in ACS?

Currently all permissions are assigned to user groups ACS (potentially 100+ users) so would rather not have to manually assign rights within LMS for each user as staff turnover in NMC/Service Desk teams is high!

Sorry, this has to be done in LMS as these Netconfig templates are only known to LMS.

Shame - maybe a suggestion to product development to integrate these things to ACS as per command authorisation sets - would make large enterprise management much easier!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco