Cisco Unified Intelligence Center Report Customization Guide, Release 10.5(1)
Security
Downloads: This chapterpdf (PDF - 1.27MB) The complete bookPDF (PDF - 2.45MB) | The complete bookePub (ePub - 235.0KB) | The complete bookMobi (Mobi - 386.0KB) | Feedback

Security

Security

Administrator Overview

Access to the functions in the Unified Intelligence Center reporting application is controlled by the one or more users who have the user role of Security Administrator.

The initial, default Security Administrator is the user defined as the System Application User during the installation.

Security Administrators can:

  • Create and maintain users.
  • Assign User Roles—User roles are assigned to users to control access to drawers and what objects the user can create.
  • Assign users to User Groups.
  • Create and maintain user groups.
  • Assign Permissions—Whereas User Roles are associated with people, permissions are associated with objects (Dashboards, Reports, Report Definitions, Data Sources, Value Lists, and Collections).
  • Use the Run As feature to verify other users' permissions.

Security Overview

Unified Intelligence Center security offers multi-layered and flexible functionality that allows a security administrator to create a flat or a tiered structure of access to Unified Intelligence Center functions, based on the organization's needs.

A user's access to Unified Intelligence Center functions is based on:

  • Login authentication.
  • License type under which the user's organization runs Unified Intelligence Center. For example, organizations that use a Standard license cannot access the Report Definition functions.
  • User Role (a user can have one, some, or all seven User Roles).
  • User Groups in which user is a member.
  • For an object the user can access, the object-level permissions assigned by the person who created that object.

User List

User List page opens from the Security drawer. If a user who does not have the Security Administrator user role accesses this page, that user can see all the parameters except the user roles. The user cannot change his role or group membership.

When Security Administrators access this page, they can see all existing users; can create users, modify or delete users, review or edit user information, and use the Run As feature to work in Cisco Unified Intelligence Center as a user.

Table 1 Fields on User List page

Field

Explanation

Only show currently active users

Check the check box to display users who are currently active.

Name Contains

Use this filter field to narrow the list of names or to move to a specific name.

User Name

The domain and user name (domain\name).

First Name

The user's first name.

Last Name

The user's last name.

You can perform the following actions on the user lists page:

  • Create—Opens the User Information page.
  • Edit—Select a user name and click Edit to edit the User Information page.
  • Delete—Select a user and click Delete to delete the user.
  • Run As—Select a user and click Run As to refresh the Cisco Unified Intelligence Center reporting interface.
  • Refresh—Refreshes the page to show any latest changes to the User List.
  • Page—Click the arrow to move to the next page of the User List.
  • Help—Opens online help.
  • X—Closes the page.

Create a User

To create a user, perform the following procedure:

Procedure
    Step 1   Navigate to Security > User List.
    Step 2   Under the General Information tab, perform the following:
    1. In the User Name field, enter the domain and user name (domain\name).
    2. In the Alias field, enter the alias name for this user.
    3. Check the User is active check box to enable the user to log in and remain active.
      Note   

      If the check box is unchecked, the user cannot log in.

    4. In the First Name field, enter the first name of the user.
    5. In the Last Name field, enter the last name.
    6. In the Organization field, enter the company name or other descriptive text to be associated with the user, such as region or Line of Business.
    7. In the Email field, enter the email address of the user.
    8. In the Phone field, enter a phone number for the user. This can be the user's personal phone number or an emergency contact.
    9. In the Description field, enter the description of the user.
    10. In the Time Zone field, choose the time zone that you want to use in the report from the drop-down list.

      This time zone is also used for the user's scheduled reports and takes precedence over the time zone used by the report server.

      Note   

      If this field is left blank, the system uses the time zone of the report server.

    11. For Start Day of the Week, perform the following:
      • Select Locale Based to select starting day of the week based on locale.
      • Select Custom Settings to choose one of the seven days of the week from the drop-down list.
      Note   

      Start Day Of The Week is used in Scheduled Report, Report Views, and Permalink.

    12. In the Roles field, select and assign one or more roles for this user.

      If the Security Administrator adds or changes User Roles, the change does not take effect until the user logs out and then logs in again.

    13. In the Permissions field, choose the user's permission setting preference for My Group when creating new objects. My Group is the object owner's default group.
      Note   

      Settings for My Group configures whether other users who belong to this user's default group can write, or execute the objects. Higher level permissions persist and override other permissions.

    Step 3   Under the Groups tab, you can determine which groups this user is a member of and how to add group membership(s) for a user. You can view the following:
    • My Group: This field shows the user's default group. The Security Administrator can change it. The group is represented as “My Group” for the user.
    • Available Groups: This list shows all the groups that have been created and that the user is not yet a member of. You can use arrows to move groups between columns.
    • Selected Groups: This column shows all the groups that the user is a member of. You can use arrows to move groups between columns.
      Note   

      By default, every user has AllUsers in their Selected Groups column. You cannot remove the AllUsers group from the Selected Groups column.


    User Groups

    User Groups page opens from the Security drawer. Use it to see the existing groups, to create or delete groups, and to review or edit group information.

    The following are the two default groups created by the system:

    • The AllUsers group is supplied by Unified Intelligence Center. All users belong to this group by default.
    • The Administrators group consists of administrators.
    Table 2 Fields on the User Groups Page

    Field

    Explanation

    Name Contains

    Use this filter field to narrow down the list of group names or to move to a specific name.

    Name

    Name of the group.

    Full Name

    The full name shows the child relationship of a group, as indicated by a dot separator.

    For example, if the default group for Group3 is Group1, and Group1 is a top level group (does not have a parent), then the Full Name of Group1 is Group1. The Full Name of Group 3 is Group1.Group3.

    Description

    Description text of the group.

    Yu can perform the following actions on the User Groups page:

    • Create—Opens the Group Information page.
    • Edit—Select the group name and click Edit to open the Group Information page.
    • Delete—Select the group name and click Delete.
    • Refresh—Refreshes the page to show any changes to the Group List.
    • Help—Opens online help.
    • X—Closes the page.

    About User Groups

    User Groups are constructs that allow security administrators to partition Unified Intelligence Center functionality.

    Creating User Groups expedites the process of provisioning users when multiple users need the same access to dashboards and reports, or when users require distinct permissions and features based on regional or organizational requirements.

    User groups have no impact on how data is stored in the database. They are used only for assigning permissions to all the user members of the group through one operation instead of repeating the same operation for each user.

    System-Defined All Users Group

    All users are automatically a member of the system-defined All Users group.

    All Users always appears on the Manage User Groups window. The security administrator cannot delete it.

    System-Defined Administrator User Group

    The security administrator is automatically a member of the system-defined Administrators group and can add other security administrators to it.

    Additional Security Administrators must be added to the Administrators group. Having the role does not automatically make them members of that group.

    Customer-Defined User Groups

    Security administrators can create any number of user groups and can add users to them. From those other user groups, one is designated as the user's Group (also called My Group).

    Default Group

    After creating the customer-defined groups, the security administrator can add a user to any of these groups and can configure one of them as the user's default Group (My Group). The All Users group can also be selected as the default group.

    The owner of an object can set permission for its Group, and the All Users group. Only the Security Administrator can set extra permissions to other groups or individual users on the User Permissions page. A user's access permission to an object is the highest level of the permission that user gets from all the permission sources.

    Create a User Group

    To create a user group, perform the following:

    Procedure
      Step 1   Navigate to Security > User Groups.
      Step 2   Under the General Information tab, perform the following:
      1. In the Group Name field, enter the name of the group. This field is available only when you create a new group.
      2. In the Description field, enter or modify text to describe this group
      Step 3   Under the Groups tab, perform the following:
      1. Default Group—From the drop-down list, enter the default group.
      2. Available Groups—Lists the groups that were created and that are available for this group to become a child of. Click > or < to move just that group or groups.
      3. Selected Groups—Lists the groups that this group is a child of. Click > or < to move just that group or groups.
      Step 4   Under the Groups Members tab, perform the following:
      1. Under Users tab:
        • Available Users—Lists all the users that were created and that are available to be children of this group. Click > or < to move just that group or groups.
        • Selected User Members—Lists the users that are currently children of this group. Click > or < to move just that group or groups.
      2. Under Groups tab:
        • Available Groups—Lists all the groups that were created and that are available to be children of this group. Click > or < to move just that group or groups.
        • Selected Groups Members—Lists the groups that are currently children of this group. Click > or < to move just that group or groups.
      Step 5   Click Save to update new entry or changes to the fields.
      Step 6   Click Cancel to cancel or close the page.

      About Permissions

      User Roles are associated with people and permissions are associated with objects. Unified Intelligence Center objects are Dashboards, Reports, Report Definitions, Data Sources, Categories, Value Lists, and Collections.

      Permissions:

      • EXECUTE: When the user has EXECUTE permissions for an object, that user can perform some actions that depend on the object. For example, with EXECUTE permission, a user can run, print, and refresh a report, open and refresh a dashboard and run a dashboard slide show, and see a Value List query. EXECUTE permission includes the read permission.

        Note


        Permissions set on categories are not recursive. For all entities under Dashboard, Report, or Report Definition types, you need separate EXECUTE/WRITE permissions.
      • WRITE: When the user has WRITE permission for an object, that user can alter, rename or delete the object. For example, With WRITE permission, you Save As, import, and export reports; you can edit a data source and can delete a custom Value List. WRITE permission also includes EXECUTE and read permission.

        Note


        If no check boxes are selected when setting permission for an object, the user has no access privileges to the object.
        The following rules are applicable for all category trees in Unified Intelligence Center — Reports, Report Definitions, Dashboards.
      • To delete an entity, you need WRITE permissions for the entity and the entity's parent category.
      • To delete a category, you need WRITE permissions for the category, the category's parent, and all the categories and/or entities belonging to the category.
      • A user can only Edit or Save an entity even if the immediate parent category has no WRITE permissions.
      • A user can only use the Save As feature if the entity has no WRITE permissions enabled.
      • Any category owner within the Imported Report Definitions can delete a category if the administrator provides explicit WRITE permissions on the Imported Report Definitions category.

      Permissions are combined and the highest level prevails.

      A user receives permission for an object from different sources. Permission can be inherited from the AllUsers group, the Default Group (My Group), or the permission assigned by the Security Administrator. Among all these permissions, the highest level permission is used when the user accesses the object.

      User Roles and Permissions

      Your User Role allows you to "open" the drawer that corresponds to that role. If you have EXECUTE permission, you can create objects for that drawer. For example, if you are a Dashboard Designer, you can create dashboards on the Available Dashboards page.

      When you create an object, you are the owner of that object. You have WRITE permission for the object, and you can set the permissions for that object for All Users and for users in your Group.

      If the object is still a work-in-progress and you do not want anyone to access it yet, you can make it "private" by leaving all permissions unchecked for both the All Users and the Groups.

      When the object is ready, set your default Group (My Group) permissions to EXECUTE or even WRITE. For example, if you create a Dashboard for your Group and the dashboard has notes, you might want others in your Group to update the notes.

      Even though you are a Dashboard Designer, if the Available Dashboards page contains dashboards created by (owned by) other Dashboard Designers, you may not be able to see those dashboards, based on your Group permissions and on the object-level permissions those owners have set for their dashboards.

      Manage User Permissions

      Use this page to set extra permissions to Groups or to individual users.

      User permissions page has the following tabs:

      Assigned Group Permissions

      Procedure
        Step 1   Select the object type in the Permissions For panel. For Dashboard, Report or Report Definition type, you can select a category or an object within a category. For other object types, select an object from the list. All the groups that have already been assigned permissions for the object are displayed in the Group permissions for the selected item panel.
        Step 2   Select a group in the All Groups panel. All user members of this group are displayed in the All Users for the selected group panel.
        Step 3   Click Set Permissions. Check the level you want for the group (Execute, Write), and click OK.
        Step 4   The Group Permissions for the selected item panel updates to include the group and its assigned permission you defined in Step 3.


        Note


        If the Security Administrator adds or changes User Permissions, the change may not occur immediately.
        Table 3 Fields on the Group Members Tab

        Field

        Description

        Permissions For panel (top left)

        Click the drop-down list to select the objects for which you want to set permissions. Options are: Data Sources, Report Definitions, Reports, Dashboards, Value Lists, and Collections.

        Selecting an object type refreshes the panel to show the list of items or categories for that object.

        All Groups panel (top right)

        This panel shows the available User Groups. Highlighting a user group refreshes the page to display an All Users for Selected Group panel that lists the member of the group.

        All Users for the Selected Group panel (bottom right)

        This panel shows all members in the group that is highlighted in the All Groups panel above.

        Set Permissions button

        Click this option to open a dialog box where you select the permission level for the selected object in the Permissions For panel and the selected group in the All Groups panel.

        Group Permissions for the selected item

        This panel shows the groups that have already been assigned permission for the selected object, and their permission level.

        Assigned User Permissions

        Procedure
          Step 1   Select the object type in the Permissions For panel. For Dashboard, Report, or Report Definition type, you can select a category or an object within a category. For other object types, select an object from the list. All the users that have already been assigned permission for the object are displayed in the User permissions for the selected item panel.
          Step 2   Select a user name in the User List panel.
          Step 3   Click Show Groups to see the groups for which this user is a member.
          Step 4   Click Set Permissions, check the level you want for this user (Execute, Write), and click OK.

          The All Permissions for the selected item panel refreshes to show the user permissions you have added or changed for this user in steps 3 and 4.

          Field

          Description

          Permissions For panel (top left)

          Click the drop-down arrow to select the kinds of object for which you want to set permissions. Options are Data Sources, Report Definitions, Reports, Dashboards, Value Lists, Collections, and System Collections.

          Selecting an object type refreshes the panel to show the list of items or categories for that object.

          User List panel (top right)

          This panel shows current users. Filter the list and select one or many user names.

          Show Groups button

          Click this option to show the All Groups for the selected user panel.

          All Groups for the selected User (bottom right)

          This panel shows all groups to which the highlighted username in the User List panel above is a member.

          Set Permissions button

          Click this option to open a dialog box where you select the permission level for the object (Execute, Write).

          All Permissions for the selected item

          This panel shows users who have permission for the object, and the level of permissions they have.

          Note    You cannot change the permission for the owner of an object. The owner always has Write permission for the object. For example, if a user is the owner of Report 1, then that user has WRITE permission for Report 1, and no one else can change the permission to EXECUTE.

          Run As

          Security Administrators can select a name on the User List page and click Run As. This refreshes the Unified Intelligence Center web page so that it reflects the interface that user has when logged in.

          Use this tool to verify that the User Roles and permissions are configured properly.


          Note


          • When you Run As another user, the top of the page shows both your Logged In identity and your Run As identity.
          • You cannot Run As yourself.
          • You can Run As one level of user. A Security Admin cannot Run As User A and, as User A, then Run As User B.

          To leave Run As mode, click Stop Run As at the top of the page.

          Audit Trail Logging in Cisco Unified Intelligence Center

          Unified Intelligence Center now supports Audit Trail Logging. This feature allows you to view the sequence of audit records of the transactions related to create, update, modify, and delete that are performed on the entities of a Unified Intelligence Center server. You can view the audit trails using the Audit Trail stock report. Only System Administrators can access and view this feature by default. However, a System Administrator can then give permissions to other Unified Intelligence Center users to use this feature.

          Note


          Localization of Audit Trail report is not supported.


          View Audit Trail Logging in Unified Intelligence Center

          Procedure
            Step 1   Log in to the Unified Intelligence Center Reporting Interface.
            Step 2   Navigate to Reports > Stock > Intelligence Center Admin and click Audit Trail. The system opens the Audit Trail Report Filter window.
            Step 3   Specify the required filter criteria and click Run. The system displays the Audit Trail report based on the filter criteria that you specified.

            Audit Trail Report

            Views: This report has three grid views - Non-grouped, Groupby – EntityName, Groupby –Username.

            Grouping: This report has two grouped views - grouped and sorted by User and Entity Name. The third view is un-grouped which is also the default view for this report.

            Value List: CUIC Users, CUIC Operations, CUIC Entity Types.

            Database Schema Tables from which data is retrieved:
            • CUICAUDITLOG
            • CUICLOGEDENTITY

            Security Considerations

            If you make the user a member of one or more other groups, make one of those groups the user's default group, and set the permissions for the default group higher than those of the AllUsers group.

            Higher permissions for the default group prevail over permissions in the AllUsers group. Individual user permissions prevail over group permissions.

            XSS Vulnerability

            Cross-site scripting (XSS) vulnerability is addressed in Unified Intelligence Center. If a malicious script, pattern, or input is entered into Unified Intelligence Center server, then the server displays a warning message "Malicious Input data detected".

            A user accessing Unified Intelligence Center should ensure that free format texts do not contain the following special characters:
            • parentheses pair (( ))
            • angle bracket (>)
            • forward slash (/)
            • question mark (?)
            • Any executable scripts (for example, JavaScript)

            Also, the text should not start with a quote (") or quotation mark (' ).


            Note


            • XSS vulnerability is addressed only for English locale in Unified Intelligence Center.
            • In release 10.5(1), XSS vulnerability is not addressed for widgets in Dashboards.
            • XSS vulnerability is not addressed during the import of reports and report definitions (XML/zip), and also during the upload of help files (Html/zip) for release 10.5(1).
            • For existing customers, who has already used these special characters in any entities under Reports, Report Definitions, Dashboards, Data Sources, Value Lists, or Collections, Unified Intelligence Center allows you to view these existing entities. However, when the customer wants to customize these entities, they have to ensure that the above mentioned characters are not used in the free format texts.