Installation Guide for CiscoWorks QoS Policy Manager 3.1
QPM User Permissions
Download this chapter
QPM User PermissionsQPM User Permissions
Download the complete book
Installation Guide for QoS Policy Manager 3.1 - Full book PDFInstallation Guide for QoS Policy Manager 3.1 - Full book PDF (PDF - 920 KB)
give_us_feedback

Table Of Contents

QPM User Permissions

Working with User Permissions

CiscoWorks User Permissions

ACS User Permissions


QPM User Permissions

The following sections describe the user permissions for QPM, which are handled by the CiscoWorks Common Services 1.0 application:

Working with User Permissions

CiscoWorks User Permissions

ACS User Permissions

Working with User Permissions

CiscoWorks Common Services 1.0 provides management of QPM user roles and privileges. QPM can work with either Cisco Secure Access Control Server (ACS) permissions or CiscoWorks permissions. QPM permissions for authentication and authorization are mapped to CiscoWorks permission roles or ACS permission roles, as specified.

Note To use ACS authentication and authorization, ACS 3.1 must be installed on the network.

Before you begin to work with QPM, you should ensure that you have the appropriate permissions. ACS and CiscoWorks permissions in QPM rely on the usergroup or username, the command set or privileges associated with the usergroup or username, and the device or device group for which privileges are requested.

If your username or usergroup is not authorized for certain QPM actions, the related menu items, TOC items, and buttons will be hidden or disabled.

CiscoWorks User Permissions

QPM uses a separate set of permissions for each type of task.

Table A-1 shows how QPM permissions are mapped to CiscoWorks roles.

Table A-1 QPM Permissions Mapped to CiscoWorks Roles 

QPM Permissions
CiscoWorks Roles
System Admin
Network Admin
Network Operator
Approver
Help Desk
Device Inventory Tasks

View

X

X

X

X

X

Modify

X

X

X

X

 
Policy Configuration Tasks

View

X

X

X

X

X

Modify

 

X

X

X

 
Deployment Tasks

View

X

X

X

X

X

Deploy

 

X

     

Delete jobs and logs

X

       
Reports Tasks

View

X

X

X

X

X

Delete

X

       

Run Real Time Analysis Tasks

X

X

X

X

X

Create Analysis Tasks

 

X

X

X

 
Admin Tasks

View Audit logs

X

X

X

X

X

Delete Audit logs

X

       

Backup/Retrieve Backup

X

       

Note To view the QPM tasks allowed for each CiscoWorks role in QPM, select Admin > User Permissions Report.

CiscoWorks roles have the following permissions in QPM:

System Admin

View information in QPM

Make changes to devices in the QPM device inventory

Run monitoring tasks

Delete any QPM logs and reports

Create and retrieve backups of the QPM database

Note System admin is the only user role that can delete logs, jobs, and reports in QPM.

Network Admin

View information in QPM

Make changes to devices in the QPM device inventory

Create and edit policies

Deploy policies to devices

Create and run monitoring tasks

Note Network admin is the only user role that can deploy the QoS configurations to the devices on the network.

Network Operator

View information in QPM

Make changes to devices in the QPM device inventory

Create and edit policies

Create and run monitoring tasks

Approver

View information in QPM

Make changes to devices in the QPM device inventory

Create and edit policies

Create and run monitoring tasks

Help Desk

Only view information in QPM

You can add your username for CiscoWorks authentication in the CiscoWorks desktop.

Procedure

Step 1 In the CiscoWorks desktop, select Server Configuration > Setup > Security > Add Users.

Step 2 Enter your username and password.

Step 3 Select the CiscoWorks user role for the user. Click Add.

See Getting Started with the CiscoWorks Server for more information about setting CiscoWorks usernames and permissions.

CiscoWorks permissions cannot be customized. However, you can create a user who has the permissions of more than one CiscoWorks role, for example, System Admin and Approver.

Tip You can create a super-user (permissions for everything) by giving both system administrator and network administrator roles to a user.

ACS User Permissions

When you configure CiscoWorks Common Services 1.0 to use ACS authorization and authentication, QPM adds permissions in ACS.

Table A-2 shows the default mapping of QPM permissions to ACS roles. This is the same as for the CiscoWorks roles, but when using ACS authorization and authentication you can modify the default roles.

Table A-2 QPM Permissions Mapped to ACS Roles 

QPM Permissions
ACS Roles
System Admin
Network Admin
Network Operator
Approver
Help Desk
Device Inventory Tasks

View

X

X

X

X

X

Modify

X

X

X

X

 
Policy Configuration Tasks

View

X

X

X

X

X

Modify

 

X

X

X

 
Deployment Tasks

View

X

X

X

X

X

Deploy

 

X

     

Delete jobs and logs

X

       
Reports Tasks

View

X

X

X

X

X

Delete

X

       

Run Real Time Analysis Tasks

X

X

X

X

X

Create Analysis Tasks

 

X

X

X

 
Admin Tasks

View Audit logs

X

X

X

X

X

Delete Audit logs

X

       

Backup/Retrieve Backup

X

       

Note To modify global components, such as library components, global device settings, and so on, you must have appropriate permissions for the device group that contains the CiscoWorks Common Services 1.0 server.

ACS roles have the following default permissions in QPM:

System Admin

View information in QPM

Make changes to devices in the QPM device inventory

Run monitoring tasks

Delete any QPM logs and reports

Create and retrieve backups of the QPM database

Note System admin is the only user role that can delete logs, jobs, and reports in QPM.

Network Admin

View information in QPM

Make changes to devices in the QPM device inventory

Create and edit policies

Deploy policies to devices

Create and run monitoring tasks

Note Network admin is the only user role that can deploy the QoS configurations to the devices on the network.

Network Operator

View information in QPM

Make changes to devices in the QPM device inventory

Create and edit policies

Create and run monitoring tasks

Approver

View information in QPM

Make changes to devices in the QPM device inventory

Create and edit policies

Create and run monitoring tasks

Help Desk

Only view information in QPM

If you intend to work with ACS device groups and user permissions, you must perform the setup configuration described in Working with ACS Device Groups and User Permissions, page 2-4.

Note ACS allows you to modify the default permission roles. For details about modifying permissions in ACS, see the ACS online help. After you change the permission roles, you must do the following:

1. Restart the ACS server.

2. If QPM is open, log out and log in again to QPM to reflect the changes.