User Guide for the Cisco Unified Intelligence Center Reporting Application, Release 9.1(1)
Security
Downloads: This chapterpdf (PDF - 1.45MB) The complete bookPDF (PDF - 6.54MB) | The complete bookePub (ePub - 2.08MB) | Feedback

Security

Security

Clicking the Security drawer expands to show nested links that open pages where you can manage and view User Lists, User Groups, and User Permissions.

Users can open the Security drawer to access the User List and see their own User Information page. Users who have the Security Administrator role can access all security pages and functions.


Note


All actions on the Security interface are based on user role and on the user's object permissions.

For information about Unified Intelligence Center user roles and permissions, see Unified Intelligence Center User Roles.

See also Troubleshooting Security Center.

About Unified Intelligence Center Security

Unified Intelligence Center security offers multi-layered and flexible functionality that allows a security administrator to create a flat or a tiered structure of access to Unified Intelligence Center functions, based on the organization's needs.

A user's access to Unified Intelligence Center functions is based on:

  • Login authentication.
  • License type under which the user's organization runs Unified Intelligence Center. For example, organizations that use a Standard license cannot access the Report Definition functions.
  • User Role (a user can have one, some, or all seven User Roles).
  • User Groups in which user is a member.
  • For an object the user can access, the object-level permissions assigned by the person who created that object.

Administrative Overview

Access to the functions in the Unified Intelligence Center reporting application is controlled by the one or more users who have the user role of Security Administrator.

The initial, default Security Administrator is the user defined as the System Application User during the installation.

Security Administrators can:

  • Create and maintain users.
  • Assign User Roles—User roles are assigned to users to control access to drawers and what objects the user can create.
  • Assign users to User Groups.
  • Create and maintain user groups.
  • Assign Permissions—Whereas User Roles are associated with people, permissions are associated with objects (Dashboards, Reports, Report Definitions, Data Sources, Value Lists, and Collections).
  • Use the Run As feature to verify other users' permissions.

User List Page

This page opens from the Security drawer. If a user who does not have the Security Administrator user role accesses this page, that user can see only their name and can open the page to modify some parameters such email and phone number. The user cannot change his role or group membership.

When Security Administrators access this page, they can see all existing users; can create users, modify or delete users, review or edit user information, and use the Run As feature to work in Unified Intelligence Center as a user.

The first time the Super User administrator who installed the system opens this page, the list is populated with his or her name and with the names of all Supervisors who integrated from Unified CCE (if the initial User Integration has been run).


Note


Unified CCE User Integration is configured and scheduled in the Unified Intelligence Center Operations Console (Cluster Configuration > ICM User Integration). It is documented in the online help for the Operations Console.
Table 1 Fields on User List Page

Field

Explanation

Only show currently active users

Click this to narrow down the list so that it displays only those users who are active.

Name Contains

Use this filter field to narrow the list of names or to move to a specific name.

User Name

The domain and user name (domain\name).

First Name

The user's first name.

Last Name

The user's last name.

User Role check boxes

Checks in these boxes show the User Roles that apply to this user.

Actions on This Page

  • Create—opens the User Information Page.
  • Edit—click the button to the left of the user name to open the User Information Page.
  • Delete—click the button to the left of the user name to delete the user.
  • Run As—select a user, then click this button to refresh the Unified Intelligence Center reporting interface. See Run As for details.
  • Refresh—refreshes the page to show any changes to the User List.
  • Page—click the arrow to move to the next page of the User List.
  • Help—opens online help.
  • X on the tab heading—closes the page.

User Information Page

This page opens when you click Create or Edit from the User List Page.

Users can review and edit information on their own User Page.

Actions on This Page

  • Save—saves your new entry or changes to the fields.
  • Cancel—cancels your changes and closes the page.
  • Help—opens online help.
  • X on the tab heading—closes the page.

General Information Tab

Security Administrators use this tab to enter or modify general characteristics for a user.

The Editable column in the table indicates whether users can edit their own information for a field.

Table 2 Fields on the General Information Tab

Field

Editable

Explanation

User Name

No

The domain and user name (domain\name).

When you create a user, enter the domain\name exactly as it exists for that user's Active Directory identity.

This field is available only when the security administrator creates a new user. It is protected in Edit mode.

Alias

Yes

The alias name for this user.

For supervisors who are integrated from Unified ICM, use this field to enter the user's name in Unified ICM.

User is Active

No

If this box is checked, the user is active and available to login. If it is unchecked, the user cannot log in.

First Name

Yes

The user's first name.

Last Name

Yes

The user's last name.

Organization

Yes

The company name or other descriptive text to be associated with the user, such as region or Line of Business.

Email

Yes

The user's email address.

Phone

Yes

A phone number for the user. This can be the user's personal phone number or an emergency contact.

Description

Yes

Text that describes this user.

Time Zone

Yes

From the drop-down list, choose the time zone that you want to use in the report. This time zone is also used for the user's scheduled reports and takes precedence over the time zone used by the report server.

If this field is left blank, the system uses the time zone of the report server.

Start Day Of The Week

Yes

Click the Locale Based radio button to select starting day of the week based on locale.

Click the Custom Settings radio button to choose one of the seven days of the week from the drop-down list.

Note   

Start Day Of The Week is used in Scheduled Report, Report Views, and Permalink. Scheduled Report and Report Views use Start Day Of The Week as defined on the User List Edit page and User List Create page by the creator and modifier of the report. Permalink uses Sunday as the Start Day Of The Week.

Roles

No

Assign one or more roles for this user.

Note    If the Security Administrator adds or changes User Roles, the change does not take effect until the user logs out and then logs in again.

Permissions

Yes

This box show this user's permission setting preference for My Group when creating new objects. My Group is the object owner's default group. A user can always change the permissions for all the objects created by the user.

My Group is this user's default Group.

Settings for My Group configures whether other users who belong to this user's default group can write, or execute the objects.

Higher level permissions persist and override other permissions.

Change to User Roles

If a user is given new roles of Report Designer, Report Definition Designer, or Dashboard Designer, or if those roles are removed, the change is not reflected in the interface.

The user must log out and log back in.

Groups

Use this tab to see what groups this user is a member of and to add group membership(s) for a user.

There is no limit to the number of groups a user can belong to.

Users who view their own User Information can see this tab but cannot edit it.

Table 3 Fields on Groups Tab

Field

Explanation

My Group

This field shows the user's default group. The Security Administrator can change it.

The group is represented as "My Group" for the user.

Available Groups

This column shows all the groups that have been created and that the user is not yet a member of.

Selected Groups

This column shows all the groups that the user is a member of.

By default, every user has AllUsers in their Selected Groups column. You cannot remove the AllUsers group from the Selected Groups column.

Actions on This Page
  • Arrow buttons—to move groups between columns Highlight one or several groups and click > or < to move just that group or groups. Click >> or << to move all groups.

User Creation on User List Page

Although you can create a user on the Unified Intelligence Center User List page, an entry on the User List is not sufficient for that user to be able to sign in to Unified Intelligence Center.

The user can sign in only if they exist in the Administration console as a Super User or if Active Directory has been configured in the Administration console for that user's domain.

One reason to create users on the User List page is to set up roles and permissions for users before they log in.

For example, if the Security Admin is aware that 10 new users will be activated in the Administration console, then the Security Admin can create those users in the Unified Intelligence Center User List, assigning them User Roles and Permissions and entering information about their email address, organization, time zone, and so forth on the General Information tab.


Note


The User Name (domain\name) on the General Information tab must match exactly with that user's domain and user name (all uppercase letters for the domain name; all lower case for the username). If they do not match, when the user signs in, they will be considered a different user.

User Groups Page

This page opens from the Security drawer. Use it to see the existing groups, to create or delete groups, and to review or edit group information.

This page always includes two default groups that are created by the system. These are:

  • The AllUsers group is supplied by Unified Intelligence Center. All users belong to this group by default.
  • The Administrators group consists of administrators.
Table 4 Fields on the User Groups Page

Field

Explanation

Name Contains

Use this filter field to narrow down the list of group names or to move to a specific name.

Name

The name of the group.

Full Name

The full name shows the child relationship of a group, as indicated by a dot separator.

For example, if the default group for Group3 is Group1, and Group1 is a top level group (does not have a parent), then the Full Name of Group1 is Group1. The Full Name of Group 3 is Group1.Group3.

Description

Text that was entered to describe the group.

Actions on This Page

  • Create—opens the Group Information page.
  • Edit—select the button to the left of the group name and click to open the Group Information page.
  • Delete—select the button to the left of the group name and click to delete the group.
  • Refresh—refreshes the page to show any changes to the Group List.
  • Help—opens online help.
  • X on the tab heading—closes the page.

Group Information

This page opens when you click Create or Edit from the User Groups Page.

This page has three tabs for most groups: General Information (which describes the group), Groups (where you can establish the group as a child group), and Group Members (where you can add or identify children for the group).

The AllUsers and Administrators groups do not have a Groups tab.

Actions on This Page

  • Save—saves your new entry or changes to the fields.
  • Cancel—cancels your changes and closes the page.

User Group General Information Tab

Use this tab to enter general information about a user group.

Table 5 Fields on User Group General Information Tab

Field

Explanation

Group Name

The name of the group.

This field is available only when you create a new group. It is protected in Edit mode.

Description

Enter or modify text to describe this group

Groups

Use this tab to establish the groups for this user group.

After you do this, this group becomes a child of those parent groups, and one of the parent groups is identified as its Default Group.


Note


  • The default Administrators and AllUsers groups do not have this Groups tab.
  • Do not complete this tab if you do not want this group to be a child.

Table 6 Fields on Groups Tab

Field

Explanation

Default Group

From the drop-down menu, select the default group.

Available Groups

This column shows the groups that were created and that are available for this group to become a child of.

Selected Groups

This column shows the groups that this group is a child of.

Actions on This Page
  • Arrow buttons—move groups between columns Highlight one or several groups and click > or < to move just that group or groups. Click >> or << to move all groups.
  • Save—saves your new entry or changes to the fields.
  • Cancel—cancels your changes and closes the page.

Group Members

Use this tab to add users to a group and to add child groups to this group. This page has two sections: Users and Groups.

Table 7 Fields on the Group Members Tab

Users

Available Users

This column shows all the users that were created and that are available to be children of this group.

Selected User Members

This column shows the users that are currently children of this group.

Groups

Available Groups

This column shows all the groups that were created and that are available to be children of this group.

Selected Group Members

This column shows the groups that are currently children of this group.

Actions on this page

  • Arrow buttons—to move groups between columns Highlight one or several groups and click > or < to move just that group or groups. Click >> or << to move all groups.

User Permissions Page

Use this page to set extra permissions to Groups or to individual users.

This page has two tabs: Assigned Group Permissions and Assigned User Permissions.

Assign Group Permissions

This page has four panels and one button.

Procedure
    Step 1   Select the object type in the Permissions For panel. For Dashboard, Report or Report Definition type, you can select a category or an object within a category. For other object types, select an object from the list. All the groups that have already been assigned permissions for the object are displayed in the Group permissions for the selected item panel.
    Step 2   Select a group in the All Groups panel. All user members of this group are displayed in the All Users for the selected group panel.
    Step 3   Click Set Permissions. Check the level you want for the group (Execute, Write), and click OK.
    Step 4   The Group Permissions for the selected item panel updates to include the group and its assigned permission you defined in Step 3.


    Note


    If the Security Administrator adds or changes User Permissions, the change may not occur immediately.
    Table 8 Fields on the Group Members Tab

    Field

    Explanation

    Permissions For panel (top left)

    Click the drop-down arrow to select the objects for which you want to set permissions. Options are Data Sources, Report Definitions, Reports, Dashboards, Value Lists, and Collections.

    Selecting an object type refreshes the panel to show the list of items or categories for that object.

    All Groups panel (top right)

    This panel shows the available User Groups. Highlighting a user group refreshes the page to display an All Users for Selected Group panel that lists the member of the group.

    All Users for the Selected Group panel (bottom right)

    This panel shows all members in the group that is highlighted in the All Groups panel above.

    Set Permissions button

    Click this to open a dialog box where you select the permission level for the selected object in the Permissions For panel and the selected group in the All Groups panel.

    Group Permissions for the selected item

    This panel shows the groups that have already been assigned permission for the selected object, and their permission level.

    Assign User Permissions

    Procedure
      Step 1   Select the object type in the Permissions For panel. For Dashboard, Report, or Report Definition type, you can select a category or an object within a category. For other object types, select an object from the list. All the users that have already been assigned permission for the object are displayed in the User permissions for the selected item panel.
      Step 2   Select a user name in the User List panel.
      Step 3   Click Show Groups to see the groups for which this user is a member.
      Step 4   Click Set Permissions, check the level you want for this user (Execute, Write), and click OK.

      The All Permissions for the selected item panel refreshes to show the user permissions you have added or changed for this user in steps 3 and 4.

      Field

      Explanation

      Permissions For panel (top left)

      Click the drop-down arrow to select the kinds of object for which you want to set permissions. Options are Data Sources, Report Definitions, Reports, Dashboards, Value Lists, Collections, and System Collections.

      System Collections (UCCE) are the collections of agents and agent teams that are created and updated by UCCE User Synchronization.

      Selecting an object type refreshes the panel to show the list of items or categories for that object.

      User List panel (top right)

      This panel shows current users. Filter the list and select one or many user names.

      Show Groups button

      Click this to show the All Groups for the selected user panel.

      All Groups for the selected User (bottom right)

      This panel shows all groups to which the highlighted username in the User List panel above is a member.

      Set Permissions button

      Click this to open a dialog box where you select the permission level for the object (Execute, Write).

      All Permissions for the selected item

      This panel shows users who have permission for the object, and the level of permissions they have.

      Note    You cannot change the permission for the owner of an object. The owner always has Write permission for the object. For example, if a user is the owner of Report 1, then that user has WRITE permission for Report 1, and no one else can change the permission to EXECUTE.

      Actions on this page:
      • Save—saves your new entry or changes to the fields.
      • Cancel —cancels your changes and closes the page.

      About Permissions

      User Roles are associated with people and permissions are associated with objects. Unified Intelligence Center objects are Dashboards, Reports, Report Definitions, Data Sources, Categories, Value Lists, and Collections.

      Permissions:

      • EXECUTE: When the user has EXECUTE permissions for an object, that user can perform some actions that depend on the object. For example, with EXECUTE permission, a user can run, print, and refresh a report, open and refresh a dashboard and run a dashboard slide show, and see a Value List query. EXECUTE permission includes the read permission.

        Note


        Permissions set on categories are not recursive. For all entities under Dashboard, Report, or Report Definition types, you need separate EXECUTE/WRITE permissions.
      • WRITE: When the user has WRITE permission for an object, that user can alter, rename or delete the object. For example, With WRITE permission, you Save As, import, and export reports; you can edit a data source and can delete a custom Value List. WRITE permission also includes EXECUTE and read permission.

        Note


        If no check boxes are selected when setting permission for an object, the user has no access privileges to the object.
        The following rules are applicable for all category trees in Unified Intelligence Center — Reports, Report Definitions, Dashboards.
      • To delete an entity, you need WRITE permissions for the entity and the entity's parent category.
      • To delete a category, you need WRITE permissions for the category, the category's parent, and all the categories and/or entities belonging to the category.
      • A user can only Edit or Save an entity even if the immediate parent category has no WRITE permissions.
      • A user can only use the Save As feature if the entity has no WRITE permissions enabled.
      • Any category owner within the Imported Report Definitions can delete a category if the administrator provides explicit WRITE permissions on the Imported Report Definitions category.

      Permissions are combined and the highest level prevails.

      A user receives permission for an object from different sources. Permission can be inherited from the AllUsers group, the Default Group (My Group), or the permission assigned by the Security Administrator. Among all these permissions, the highest level permission is used when the user accesses the object.

      User Roles and Permissions

      Your User Role allows you to "open" the drawer that corresponds to that role. If you have EXECUTE permission, you can create objects for that drawer. For example, if you are a Dashboard Designer, you can create dashboards on the Available Dashboards page.

      When you create an object, you are the owner of that object. You have WRITE permission for the object, and you can set the permissions for that object for All Users and for users in your Group.

      If the object is still a work-in-progress and you do not want anyone to access it yet, you can make it "private" by leaving all permissions unchecked for both the All Users and the Groups.

      When the object is ready, set your default Group (My Group) permissions to EXECUTE or even WRITE. For example, if you create a Dashboard for your Group and the dashboard has notes, you might want others in your Group to update the notes.

      Even though you are a Dashboard Designer, if the Available Dashboards page contains dashboards created by (owned by) other Dashboard Designers, you may not be able to see those dashboards, based on your Group permissions and on the object-level permissions those owners have set for their dashboards.

      About User Groups

      User Groups are constructs that allow security administrators to partition Unified Intelligence Center functionality.

      Creating User Groups expedites the process of provisioning users when multiple users need the same access to dashboards and reports, or when users require distinct permissions and features based on regional or organizational requirements.

      User groups have no impact on how data is stored in the database. They are used only for assigning permissions to all the user members of the group through one operation instead of repeating the same operation for each user.

      System-Defined All Users Group

      All users are automatically a member of the system-defined All Users group.

      All Users always appears on the Manage User Groups window. The security administrator cannot delete it.

      System-Defined Administrator User Group

      The security administrator is automatically a member of the system-defined Administrators group and can add other security administrators to it.

      Additional Security Administrators must be added to the Administrators group. Having the role does not automatically make them members of that group.

      Customer-Defined User Groups

      Security administrators can create any number of user groups and can add users to them. From those other user groups, one is designated as the user's Group (also called My Group).

      Default Group

      After creating the customer-defined groups, the security administrator can add a user to any of these groups and can configure one of them as the user's default Group (My Group). The All Users group can also be selected as the default group.

      The owner of an object can set permission for its Group, and the All Users group. Only the Security Administrator can set extra permissions to other groups or individual users on the User Permissions page. A user's access permission to an object is the highest level of the permission that user gets from all the permission sources.

      Groups and Child Groups

      Rules for Groups and Child Groups

      • A group can be both a Parent and a Child. For example, Group 2 can be child of Group 1. Group 2 can also be a parent of Group 3.
      • A Group is not required to have Child Groups.
      • A Group may have any number of Child Groups.
      • A Child Group cannot be a Parent to its own Parent Group and a Parent Group cannot be a Child of its own Child Group. For example, Group 3 is a child of Groups 1 and 2. Group 3 cannot also be a parent of Group 1 or Group 2.
      • A Group can have both Groups and Users as children. For example, Group 2 can be a child of Group 1. User Lee can be a child of Group 1.
      • A Group is not required to have a Parent Group.
      • Child Groups Do Not Inherit the Members of their Parent Groups—Adding a user as a member of a group does not mean that user is also a member of its children. For example, Group 2 and Group 3 are children of Group 1. The security administrator adds User A as a member of Group 1. User A does not automatically become a member of Group 2 or Group 3. To make User A a member of Group 2, the security administrator must add User A as a member of Group 2.

      Run As

      Security Administrators can select a name on the User List page and click Run As. This refreshes the Unified Intelligence Center web page so that it reflects the interface that user has when logged in.

      Use this tool to verify that the User Roles and permissions are configured properly.


      Note


      • When you Run As another user, the top of the page shows both your Logged In identity and your Run As identity.
      • You cannot Run As yourself.
      • You can Run As one level of user. A Security Admin cannot Run As User A and, as User A, then Run As User B.

      To leave Run As mode, click Stop Run As at the top of the page.

      Audit Trail Logging in Cisco Unified Intelligence Center

      Unified Intelligence Center now supports Audit Trail Logging. This feature allows you to view the sequence of audit records of the transactions related to create, update, modify, and delete that are performed on the entities of a Unified Intelligence Center server. You can view the audit trails using the Audit Trail stock report. Only System Administrators can access and view this feature by default. However, a System Administrator can then give permissions to other Unified Intelligence Center users to use this feature.

      Note


      Localization of Audit Trail report is not supported.


      View Audit Trail Logging in Unified Intelligence Center

      Procedure
        Step 1   Log in to the Unified Intelligence Center Reporting Interface.
        Step 2   Navigate to Reports > Stock > Intelligence Center Admin and click Audit Trail. The system opens the Audit Trail Report Filter window.
        Step 3   Specify the required filter criteria and click Run. The system displays the Audit Trail report based on the filter criteria that you specified.

        Audit Trail Report

        Views: This report has three grid views - Non-grouped, Groupby – EntityName, Groupby –Username.

        Grouping: This report has two grouped views - grouped and sorted by User and Entity Name. The third view is un-grouped which is also the default view for this report.

        Value List: CUIC Users, CUIC Operations, CUIC Entity Types.

        Database Schema Tables from which data is retrieved:
        • CUICAUDITLOG
        • CUICLOGEDENTITY

        Current Fields in Audit Trail Report Grid View

        Current fields are those fields that appear by default in a report grid view generated from the stock template. You can change them.

        Current fields are listed here in the order (left to right) in which they appear by default in the stock template.

        Column (Field)

        Description

        Event Time

        Date and time when the user performed the operation in the Unified Intelligence Center system.

        User

        Domain name and the User ID of the user who performed a particular operation.

        Operation

        Operation performed by a user, for example, CREATE, SAVE, UPDATE, IMPORT,EXPORT.

        Entity Type

        Entity type on which the user performed the operation.

        Entity Name

        Name of the specific entity that the user accessed.

        Status

        Status of the operation SUCCESS or FAILURE.

        Description

        Detailed description of the performed operation.

        RunAs User

        User ID of the RunAs user who performed a particular operation.

        Server IP

        IP address of the Unified Intelligence Center server.

        Server Name

        Hostname of the Unified Intelligence Center server.

        Sample Audit Trail Report

        Figure 1. Sample Audit Trail Report. The following illustration is a sample of the report generated from the Audit Trail Report template.



        Security Considerations

        If you make the user a member of one or more other groups, make one of those groups the user's default group, and set the permissions for the default group higher than those of the AllUsers group.

        Higher permissions for the default group prevail over permissions in the AllUsers group. Individual user permissions prevail over group permissions.

        XSS Vulnerability

        Cross-site scripting (XSS) vulnerability is addressed in Unified Intelligence Center. If a malicious script, pattern, or input is entered into Unified Intelligence Center server, then the server displays a warning message "Malicious Input data detected".

        A user accessing Unified Intelligence Center should ensure that free format texts do not contain the following special characters:
        • parentheses pair (( ))
        • angle bracket (>)
        • forward slash (/)
        • question mark (?)
        • Any executable scripts (for example, JavaScript)

        Also, the text should not start with a quote (") or quotation mark (' ).


        Note


        • XSS vulnerability is addressed only for English locale in Unified Intelligence Center.
        • In release 10.5(1), XSS vulnerability is not addressed for widgets in Dashboards.
        • XSS vulnerability is not addressed during the import of reports and report definitions (XML/zip), and also during the upload of help files (Html/zip) for release 10.5(1).
        • For existing customers, who has already used these special characters in any entities under Reports, Report Definitions, Dashboards, Data Sources, Value Lists, or Collections, Unified Intelligence Center allows you to view these existing entities. However, when the customer wants to customize these entities, they have to ensure that the above mentioned characters are not used in the free format texts.