Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LMS RME Jobs & ACS - Rights Escalation

Hi,

We have integrated LMS 3.01 with Cisco Secure ACS 4.1.

We want to stop users deleting jobs so that we can maintain job history (see post in AAA forum as to why).

Within ACS Shared Profile Components with have removed:

Inventory - Delete Job

CDA - Delete Job

Config Editor - Delete Job

Software Management Jobs - Delete

This works fine (delete button greyed out) if the user browses to the specific Job Management screen, e.g.

RME > Config Management > Config Editor > Config Editor Jobs

However if we allow the user the "RME Jobs" right within ACS they can still delete jobs from:

RME > Job Management

Is this a bug? Why should you be allowed to delete jobs from RME Job management if you don't have the permissions to delete jobs within the individual components?

Thanks

Michael

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: LMS RME Jobs & ACS - Rights Escalation

RME Jobs is a separate task designed for uber administrators. When it is authorized, it doesn't check the underlying job type delete task. It just assumes that if you have access to this interface, you are a full administrator. Do not grant access to this interface to those that should not be deleting jobs.

2 REPLIES
Cisco Employee

Re: LMS RME Jobs & ACS - Rights Escalation

RME Jobs is a separate task designed for uber administrators. When it is authorized, it doesn't check the underlying job type delete task. It just assumes that if you have access to this interface, you are a full administrator. Do not grant access to this interface to those that should not be deleting jobs.

New Member

Re: LMS RME Jobs & ACS - Rights Escalation

Thanks - will do.

139
Views
0
Helpful
2
Replies
CreatePlease to create content