Table Of Contents
Setting Up the QPM Server
User Permissions for QPM
CiscoWorks User Permissions
Setting Up CiscoWorks Usernames and Permissions for QPM
ACS User Permissions
Setting up ACS User Groups and Permissions for QPM
Changing QPM Database Password
Setting Up the QPM Server
This chapter contains the following topics:
•
User Permissions for QPM
•CiscoWorks User Permissions
•ACS User Permissions
•Setting up ACS User Groups and Permissions for QPM
•Changing QPM Database Password
User Permissions for QPM
CiscoWorks Common Services provides management of QPM user roles and privileges. QPM can work with either Cisco Secure Access Control Server (ACS) permissions or CiscoWorks permissions.
QPM permissions for authentication and authorization are mapped to CiscoWorks permission roles or ACS permission roles, as specified.
Note To use ACS authentication and authorization, ACS must be installed on the network.
Before you begin to work with QPM, you should ensure that you have the appropriate permissions.
ACS and CiscoWorks permissions in QPM rely on the usergroup or username, the command set or privileges associated with the usergroup or username, and the device or device group for which privileges are requested.
If your username or usergroup is not authorized for certain QPM actions, the related menu items, TOC items, and buttons will be hidden or disabled.
CiscoWorks User Permissions
QPM uses a separate set of permissions for each type of task.
Table 3-1 shows how QPM permissions are mapped to CiscoWorks roles.
Table 3-1 QPM Permissions Mapped to CiscoWorks Roles
QPM Permissions
|
CiscoWorks Roles
|
System Admin
|
Network Admin
|
Network Operator
|
Approver
|
Help Desk
|
Device Inventory
|
View
|
X
|
X
|
X
|
X
|
X
|
Add/Modify
|
X
|
X
|
|
|
|
Policy Configuration
|
View
|
X
|
X
|
X
|
X
|
X
|
Modify
|
|
X
|
X
|
X
|
|
Deployment
|
View
|
X
|
X
|
X
|
X
|
X
|
Deploy
|
|
X
|
|
|
|
Delete jobs and logs
|
X
|
|
|
|
|
TelePresence
|
View
|
X
|
X
|
X
|
X
|
X
|
Modify
|
|
X
|
X
|
X
|
|
Monitor
|
Real Time Status
|
View Report Card
|
X
|
X
|
X
|
X
|
X
|
Launch Real Time Chart
|
X
|
X
|
X
|
X
|
X
|
Launch Event browser
|
X
|
X
|
X
|
X
|
X
|
Historical Trends
|
View
|
X
|
X
|
X
|
X
|
X
|
Delete
|
X
|
|
|
|
|
Create Analysis Tasks
|
|
X
|
X
|
X
|
|
Threshold Configuration
|
View
|
X
|
X
|
X
|
X
|
X
|
Create Threshold Sets
|
|
X
|
|
|
|
Assign Threshold Sets
|
|
X
|
|
|
|
Delete Threshold Jobs
|
X
|
|
|
|
|
NCM Events
|
Launch NCM Event browser
|
X
|
X
|
X
|
X
|
X
|
Rediscover
|
X
|
X
|
|
|
|
Deploy
|
|
X
|
|
|
|
Import
|
|
X
|
X
|
X
|
|
Admin
|
View Audit logs
|
X
|
X
|
X
|
X
|
X
|
Delete Audit logs
|
X
|
|
|
|
|
Backup/Retrieve Backup
|
X
|
|
|
|
|
SNMP Configuration Rights
|
X
|
X
|
|
|
|
License
|
X
|
|
|
|
|
Notification Group
|
View
|
X
|
X
|
X
|
X
|
X
|
Delete
|
X
|
|
|
|
|
Create
|
|
X
|
|
X
|
|
NCM Integration
|
X
|
X
|
|
|
|
To view the QPM tasks allowed for each CiscoWorks role in QPM, select Administration > User Permissions Report.
CiscoWorks roles have the following permissions in QPM:
•System Admin
–View all information in QPM
–Make changes to devices in the QPM device inventory
–Delete policy deployment jobs and logs
–Launch Real Time Charts and Event Browsers
–Delete Monitoring Tasks (under Historical Trends)
–Delete Threshold Assignment jobs
–Delete Audit logs
–Create and retrieve backups of the QPM database
–Configure SNMP Configuration Rights
–Add/remove licenses
System admin is the only user role that can delete logs, jobs, and reports in QPM.
•Network Admin
–View all information in QPM
–Make changes to devices in the QPM device inventory
–Create and edit policies
–Deploy policies on devices
–Launch Real Time Charts and Event Browsers
–Create Monitoring Tasks (under Historical Trends)
–Create Threshold Sets and assign Threshold Sets to interfaces
–Configure SNMP Configuration Rights
Network admin is the only user role that can deploy QoS policies on the devices in the network.
•Network Operator
–View all information in QPM
–Create and edit policies
–Launch Real Time Charts and Event Browsers
–Create Monitoring Tasks (under Historical Trends)
–Create and run monitoring tasks
•Approver
–View all information in QPM
–Create and edit policies
–Launch Real Time Charts and Event Browsers
–Create Monitoring Tasks (under Historical Trends)
•Help Desk
–View all information in QPM
–Launch Real Time Charts and Event Browsers
Setting Up CiscoWorks Usernames and Permissions for QPM
You can add your username for CiscoWorks authentication from the CiscoWorks Homepage.
To select a role or a number of roles:
Step 1 Select Common Services > Server > Security in the CiscoWorks Homepage.
The Security Settings page appears.
Step 2 Click Local User Setup in the TOC.
The Local User Setup page appears.
Step 3 Click Add.
The User Information dialog box appears.
Step 4 Enter the username in the Username field.
Step 5 Enter the password in the Password field.
Step 6 Re-enter the password in the Verify Password field.
Step 7 Enter the E-mail ID in the Email field, if the user has an Approver role.
Step 8 Go to the Roles pane and select the check box corresponding to the roles to be assigned to the user.
See the User Guide for CiscoWorks Common Services 3.2 for more information about setting CiscoWorks usernames and permissions.
CiscoWorks permissions cannot be customized. However, you can create a role for a user with the permissions of more than one CiscoWorks role. For example, a user can have both System Admin and Approver roles.
Tip You can create a Super User (permissions for everything) by giving both system administrator and network administrator roles to a user.
ACS User Permissions
When you configure CiscoWorks Common Services to use ACS authorization and authentication, QPM adds permissions in ACS.
Table 3-2 shows the default mapping of QPM permissions to ACS roles. This is the same as for the CiscoWorks roles. However, while using ACS authorization and authentication, you can modify the default roles.
Table 3-2 QPM Permissions Mapped to ACS Roles
QPM Permissions
|
CiscoWorks Roles
|
System Admin
|
Network Admin
|
Network Operator
|
Approver
|
Help Desk
|
Device Inventory
|
View
|
X
|
X
|
X
|
X
|
X
|
Add/Modify
|
X
|
X
|
|
|
|
Policy Configuration
|
View
|
X
|
X
|
X
|
X
|
X
|
Modify
|
|
X
|
X
|
X
|
|
Deployment
|
View
|
X
|
X
|
X
|
X
|
X
|
Deploy
|
|
X
|
|
|
|
Delete jobs and logs
|
X
|
|
|
|
|
TelePresence
|
View
|
X
|
X
|
X
|
X
|
X
|
Modify
|
|
X
|
X
|
X
|
|
Monitor
|
Real Time Status
|
View Report Card
|
X
|
X
|
X
|
X
|
X
|
Launch Real Time Chart
|
X
|
X
|
X
|
X
|
X
|
Launch Event browser
|
X
|
X
|
X
|
X
|
X
|
Historical Trends
|
View
|
X
|
X
|
X
|
X
|
X
|
Delete
|
X
|
|
|
|
|
Create Analysis Tasks
|
|
X
|
X
|
X
|
|
Threshold Configuration
|
View
|
X
|
X
|
X
|
X
|
X
|
Create Threshold Sets
|
|
X
|
|
|
|
Assign Threshold Sets
|
|
X
|
|
|
|
Delete Threshold Jobs
|
X
|
|
|
|
|
NCM Events
|
Launch NCM Event browser
|
X
|
X
|
X
|
X
|
X
|
Notification Group
|
Rediscover
|
X
|
X
|
|
|
|
Deploy
|
|
X
|
|
|
|
Import
|
|
X
|
X
|
X
|
|
Admin
|
View Audit logs
|
X
|
X
|
X
|
X
|
X
|
Delete Audit logs
|
X
|
|
|
|
|
Backup/Retrieve Backup
|
X
|
|
|
|
|
SNMP Configuration Rights
|
X
|
X
|
|
|
|
License
|
X
|
|
|
|
|
Notification Group
|
View
|
X
|
X
|
X
|
X
|
X
|
Delete
|
X
|
|
|
|
|
Create
|
|
X
|
|
X
|
|
NCM Integration
|
X
|
X
|
|
|
|
To modify global components, such as library components, global device settings, and so on, you must have appropriate permissions for the device group that contains the CiscoWorks Common Services server.
ACS roles have the following default permissions in QPM:
•System Admin
–View all information in QPM
–Make changes to devices in the QPM device inventory
–Delete policy deployment jobs and logs
–Launch Real Time Charts and Event Browsers
–Delete Monitoring Tasks (under Historical Trends)
–Delete Threshold Assignment jobs
–Delete Audit logs
–Create and retrieve backups of the QPM database
–Configure SNMP Configuration Rights
–Add/remove Licenses
System admin is the only user role that can delete logs, jobs, and reports in QPM.
•Network Admin
–View all information in QPM
–Make changes to devices in the QPM device inventory
–Create and edit policies
–Deploy policies on devices
–Launch Real Time Charts and Event Browsers
–Create Monitoring Tasks (under Historical Trends)
–Create Threshold Sets and assign Threshold Sets to interfaces
–Configure SNMP Configuration Rights
Network admin is the only user role that can deploy QoS policies on the devices in the network.
•Network Operator
–View all information in QPM
–Create and edit policies
–Launch Real Time Charts and Event Browsers
–Create Monitoring Tasks (under Historical Trends)
–Create and run monitoring tasks
•Approver
–View all information in QPM
–Create and edit policies
–Launch Real Time Charts and Event Browsers
–Create Monitoring Tasks (under Historical Trends)
•Help Desk
–View all information in QPM
–Launch Real Time Charts and Event Browsers
If you intend to work with ACS device groups and user permissions, you must perform the setup configuration described in Setting up ACS User Groups and Permissions for QPM.
ACS allows you to modify the default permission roles. For details about modifying permissions in ACS, see the ACS Online help.
After you change the permission roles, you must restart the ACS server.
If QPM is open, log out and log in again to QPM for the changes to take effect.
Setting up ACS User Groups and Permissions for QPM
If you want to use ACS user groups and permissions for QPM, ACS must be installed on the network.
To work with ACS user groups and user permissions, you must register the QPM server with ACS and configure CiscoWorks Common Services. This enables you to use ACS authorization and authentication.
The following steps describe this process:
Step
|
Task
|
Procedure
|
Step 1
|
Register the QPM server with ACS.
|
1. Login to ACS server.
2. In the navigation bar of the ACS Homepage, click Network Configuration.
The Network Configuration page appears with a list of the Network Device Groups (NDGs).
You can create your own QPM server Network Device Group, and add the QPM server as AAA client in it. The following steps describe this process.
3. Under the Network Device Groups table, click Add Entry.
4. In the Network Device Group Name box, type the name of the new NDG, for using QPM
5. In the Key box, enter a key for the Network Device Group. The maximum length is 32 characters
6. Click Submit.
The Network Device Groups table displays the new NDG.
7. Click the name of the new NDG, and click Add Entry below the AAA Clients table
8. In the Add AAA Client page, enter the QPM client details, such as Hostname, IP Address, and Key.
9. Click Submit + Apply.
If you do not want to create a new NDG for QPM, you can click the Not Assigned link in the NDG table and click Add Entry to define the QPM client in ACS.
You can do this instead of performing Steps 1 through 7.
For details about these steps, see the chapter Network Configuration, in the ACS User Guide.
|
Step 2
|
Register ACS with QPM.
|
1. Login to CiscoWorks in the CMF Mode.
2. In the CiscoWorks homepage, select
Common Services > Server > Security > AAA Mode Setup.
3. Click the TACACS+ radio button
4. Click Change.
The Login Module Options window appears.
5. Enter the ACS server IP/Name and Key (the same Key that you entered in "In the Key box, enter a key for the Network Device Group. The maximum length is 32 characters") in the corresponding fields, and click OK.
The Login Module Change Summary page appears.
6. Click OK.
7. In the AAA Mode Setup page, click the ACS radio button.
8. Enter the ACS sever details.
9. Enter the login details including the Shared Secret Key (the same key that you entered in "In the Key box, enter a key for the Network Device Group. The maximum length is 32 characters").
10. Check the Register all installed applications with ACS check box.
11. Click the HTTP or HTTPS radio button to specify the current ACS administrative protocol.
12. Click Apply.
The Login Module Change Summary page appears with the following message:
ACS Server Credentials updated successfully
13. Close down all the QPM and CS Windows, restart the deamon manager.
For details about these steps, see the section Setting up the AAA mode in the chapter Configuring the Server, in User Guide for CiscoWorks Common Services 3.2.
|
Step 3
|
Synchronize device groups in ACS Server with QPM
|
1. In QPM, select
Devices > Device Grouping > Sync Privileges.
The Sync Privileges page appears.
2. Check whether the Server mode is set to ACS, and click Sync.
|
Step 4
|
Define usernames and user groups and permissions, in ACS.
|
1. In the navigation bar of the ACS homepage, click User Setup, and define usernames.
2. In the navigation bar of the ACS homepage, click Group Setup, and define user groups and their permissions.
For details about these steps, see the chapters User Management and User Group Management, in the ACS User Guide.
|
To change the authorization and authentication mode back to CiscoWorks permissions, you must configure CiscoWorks Common Services to use local authorization and authentication.
For details of this procedure, see the User Guide for CiscoWorks Common Services 3.2.
Changing QPM Database Password
You can change the QPM database password through Common Services. To do this:
Step 1 In Common Services, go to the root directory, and stop the Daemon Manager:
# /etc/init.d/dmgtd stop
Step 2 Run the following commands to change the QPM DB password:
# cd /opt/CSCOpx/bin
# dbpasswd.pl dsn=qpm npwd=newpassword
where /opt/CSCOpx is the Common Services installation directory, and newpassword is the new QPM database password
Step 3 Run the following commands to update QPM with the new DB password:
# cd /opt/CSCOpx/MDC/qpm/bin
# perl QPM_DB_Updater.pl
The Daemon Manager starts automatically when you run the above command.
