User Guide for the Cisco Secure Access Control System 5.0
Managing System Administrators
Downloads: This chapterpdf (PDF - 158.0KB) The complete bookPDF (PDF - 12.93MB) | Feedback

Managing System Administrators

Table Of Contents

Managing System Administrators

Understanding Administrator Roles and Accounts

Understanding Authentication

Configuring System Administrators and Accounts

Understanding Roles

Permissions

Predefined Roles

Changing Roles

Administrator Accounts and Role Association

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Viewing Predefined Roles

Viewing Role Properties

Configuring Password Policies

Changing the Administrator Password


Managing System Administrators


When you select System Administration > Administrators, you can:

Create, edit, duplicate, or delete accounts

View predefined roles

Associate roles to administrators

Configure password policies


Note The first time you log in to ACS 5.0, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default). After you change the password, you can start configuring the system. The predefined administrator has super administrator permissions—Create, Read, Update, Delete, and eXecute (CRUDX)—to all ACS resources. When you register a secondary instance to a primary instance, you can use any account created on the primary instance. The credentials that you create on the primary instance apply to the secondary instance.


This section contains the following topics:

Understanding Administrator Roles and Accounts

Configuring System Administrators and Accounts

Understanding Roles

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Viewing Predefined Roles

Configuring Password Policies

Changing the Administrator Password

Understanding Administrator Roles and Accounts

The first time you log in to ACS 5.0, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default).

After you change the password, you can start configuring the system. The predefined administrator has super administrator permissions—Create, Read, Update, Delete, and eXecute (CRUDX)—to all ACS resources.

If you do not need granular access control, the Super Admin role is most convenient, and this is the role assigned to the predefined ACSAdmin account.

To create further granularity in your access control, follow these steps:

1. Define Administrators. See Configuring System Administrators and Accounts.

2. Associate roles to administrators. See Understanding Roles

When these steps are completed, defined administrators can log in and start working in the system.

Understanding Authentication

An authentication request is the first operation for every management session. If authentication fails, the management session is terminated. But if authentication passes, the management session continues until the administrator logs out or the session times out.

ACS 5.0 authenticates every login operation by using user credentials (username and password). Then, by using the administrator and role definitions, ACS fetches the appropriate permissions and answers subsequent authorization requests.

The ACS user interface displays the functions and options for which you have the necessary administrator privileges only.


Note Allow a few seconds before logging back in so that changes in the system have time to propagate.


Related Topics

Understanding Administrator Roles and Accounts

Configuring System Administrators and Accounts

Configuring System Administrators and Accounts

This section contains the following topics:

Understanding Roles

Administrator Accounts and Role Association

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Viewing Role Properties

Understanding Roles

Roles consist of typical administrator tasks, each with an associated set of permissions. Each administrator can have more than one predefined role, and a role can apply to multiple administrators. As a result, you can configure multiple tasks for a single administrator and multiple administrators for a single task.

You use the Administrator Accounts page to assign roles. In general, a precise definition of roles is the recommended starting point. Refer to Creating, Duplicating, Editing, and Deleting Administrator Accounts for more information.


Note The ACS web interface displays only the functions for which you have privileges. For example, if your role is Network Device Admin, the System Administration drawer does not appear because you do not not have permissions for the functions in that drawer.


Permissions

A permission is an access right that applies to a specific administrative task. Permissions consist of:

A Resource - The list of ACS components that an administrator can access, such as network resources, or policy elements.

Privileges - The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed.

A resource given to an administrator without any privileges means that the administrator has no access to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply to a resource, the read privilege is not available.

If no permission is defined for an object, the administrator cannot access this object, not even for reading.


Note You cannot make permission changes.


Predefined Roles

Table 14-1 shows the predefined roles included in ACS:

Table 14-1 Predefined Role Descriptions  

Role
Privileges

Network Device Admin

This role is intended for ACS administrators who need to manage the ACS network device repository only, such as adding, updating, or deleting devices. This role has the following permissions:

Read and write permissions on network devices

Read permission on NDGs

Policy Admin

This role is intended for the ACS policy administrator responsible for creating and managing ACS access services and access policy rules, and the policy elements referenced by the policy rules. This role has the following permissions:

Read and write permissions on policy elements (authorization profile, NDGs, IDGs, conditions)

Read and write permissions on services policy

ReadOnlyAdmin

This role is intended for ACS administrators who need read-only access to all parts of the ACS user interface.

This role has read-only access to all resources

ReportAdmin

This role is intended for administrators who need access to the ACS Monitoring & Report Viewer to generate and view reports or monitoring data only.

This role has read-only access on logs.

SecurityAdmin

This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy. This role has the following permissions:

Read and write permissions on administrators

Read permission on roles and permissions

Super Admin

The Super Admin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account.

This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources.

System Admin

This role is intended for administrators responsible for ACS system configuration and operations. This role has the following permissions:

Read and write permissions on all system administration activities except for account definition

Read and write permissions on ACS instances

User Admin

This role is intended for administrators who are responsible for adding, updating, or deleting entries in the internal ACS identity stores, which includes internal users and internal hosts. This role has the following permissions:

Read and write permissions on users and hosts

Read permission on IDGs



Note At first login, only the Super Admin is assigned to a specific administrator.


Related Topics

Administrator Accounts and Role Association

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Changing Roles

By design, only the ACS Super Admin and SecurityAdmin roles can change all roles, due to the potential ramifications on the system's entire authorization status. Changes in roles take effect only after the affected administrators log out and log in again. At the new login, ACS reads and applies the role changes.


Note You must carefully control the granting of the role-change privileges because of the global ramifications of role changes.


Administrator Accounts and Role Association

Administrator account definitions consist of a name, status, description, email address, password, and role assignment.


Note It is recommended that you create a unique administrator for each person. In this way, operations are clearly recorded in the audit log.



Note Administrators are authenticated against the internal database only.


You can edit and delete existing accounts. However, the web interface displays an error message if you attempt to delete or disable the last super administrator.

Only appropriate administrators can configure identities and certificates. The identities configured in the System Administration drawer are available in the Users and Identity Stores drawer, but they cannot be modified there.


Note It is recommended that you create identity attributes before configuring users.


Related Topics

Understanding Roles

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Creating, Duplicating, Editing, and Deleting Administrator Accounts

To create, duplicate, edit, or delete an administrator account:


Step 1 Select System Administration > Administrators > Accounts.

The Administrators page appears with a list of configured administrators as described in Table 14-2:

Table 14-2 Accounts Page 

Option
Description

Status

The current status of this administrator:

Enabled—This administrator is active.

Disabled—This administrator is not active.

Note A disabled admin account cannot login to ACS.

Name

The name of the administrator.

Role(s)

The role(s) assigned to the administrator.

Description

A description of this administrator.


Step 2 Perform one of these actions:

Click Create.

Check the check box next to the account that you want to duplicate and click Duplicate.

Click the account that you want to modify; or, check the check box for the Name and click Edit.


Note On the Duplicate page you must change at least the Admin Name.


Check one or more check boxes next to the accounts that you want to delete and click Delete.

Step 3 Complete the Administrator Accounts Properties page fields as described in Table 14-3:

Table 14-3 Administrator Accounts Properties Page  

Option
Description
General

Admin Name

The configured name of this administrator. If you are duplicating a rule, be sure to enter a unique name. If checked, this administrator is active. If not checked, this administrator is inactive.

Status

From the Status pulldown menu, select whether the account is enabled or disabled.

Description

A description of this administrator.

Email Address

Administrator email address. ACS View will direct alerts to this email address.

Authentication Information

Password

Authentication password.

Confirm Password

Confirmation of the authentication password.

Role Assignment

Available Roles

A list of all configured roles.

Selected Roles

The roles that apply to this administrator.


Step 4 Click Submit.

The new account is saved. The Administrators page appears, with the new account that you created or duplicated.

Related Topics

Understanding Roles

Administrator Accounts and Role Association

Viewing Predefined Roles

Configuring Password Policies

Viewing Predefined Roles

See Table 14-1 for description of the predefined roles included in ACS.

To view predefined roles:

Select System Administration > Administrators > Roles.

The Roles page appears with a list of predefined roles. Table 14-4 describes the Roles page fields.

Table 14-4 Roles Page 

Field
Description

Name

A list of all configured roles. See Predefined Roles for a list of predefined roles.

Description

The description of each role.



Viewing Role Properties

Use this page to view the properties of each role.

Select System Administration > Administrators > Roles, and click a role or check the role's check box and click View.

The Roles Properties page appears as described in Table 14-5:

Table 14-5 Roles Properties Page 

Field
Description

Name

The name of the role. If you are duplicating a role, you must enter a unique name as a minimum configuration; all other fields are optional. Roles cannot be created or edited. See Table 14-4 for a list of predefined roles.

Description

The description of the role. See Predefined Roles for more information.

Permissions List

Resource

A list of available resources.

Privileges

The privileges that can be assigned to each resource. If a privilege does not apply, the privilege check box is dimmed (not available).

Note Row color is irrelevant to availability of a given privilege, and it is determined by the explicit test in the Privileges column.



Related Topics

Understanding Roles

Administrator Accounts and Role Association

Configuring Password Policies

Configuring Password Policies

An administrator password policy protects any configuration updates made to the system. Any password policy changes you make apply to all ACS system administrator accounts and to all ACS internal identity store user accounts.

To configure a password policy:


Step 1 Select System Administration > Administrators > Password Policies.

The Password Policies page appears with the fields described in Table 14-6:

Table 14-6 Password Policies Page 

Option
Description
Password Complexity

Minimum length

The required minimum length. The minimum length is 4 characters.

Password may not contain the username

Whether the password may contain the username or reverse username.

Password may not contain `cisco'

Check to specify that the password cannot contain the word cisco.

Password may not contain repeated characters four or more times consecutively

Check to specify that the password cannot repeat characters four or more times consecutively.

Password must contain at least one character of each of the selected types:

Lowercase alphabetic characters

Password must contain at least one lowercase alphabetic characters character.

Upper case alphabetic characters

Password must contain at least one uppercase alphabetic characters character.

Numeric characters

Password must contain at least one numeric character.

Non alphanumeric characters

Password must contain at least one nonalphanumeric character.


Step 2 In the Password Complexity section, check each check box that you want to use to configure your administrator password.

Step 3 Click Submit.

The administrator password is configured with the defined criteria.


Related Topics

Understanding Roles

Administrator Accounts and Role Association

Viewing Predefined Roles

Changing the Administrator Password

To change the administrator password:


Step 1 Select My Workspace > My Account.

The My Account page appears. See My Account Page, page 5-2 for valid values.

Step 2 In the Password field section, enter the current administrator password.

Step 3 In the New Password field, enter a new administrator password.

Step 4 In the Confirm Password field, re-enter the new administration password.

Step 5 Click Submit.

The administrator password is created with the defined criteria.


Related Topics

Configuring Password Policies

Understanding Roles

Administrator Accounts and Role Association

Viewing Predefined Roles