Table Of Contents
Access Control
User Control
Device Control
PAK Control
Rules of Control
Access Control
This section describes the three levels of access control in Cisco License Manager and the rules of control:
•
User Control
•Device Control
•PAK Control
•Rules of Control
User Control
Cisco License Manager defines five user roles:
•Admin
•InventoryMgr
•PAKMgr
•LicenseMgr
•ReportMgr
The table below shows the operations each role can perform. If an API is not listed in this table, it is open to all users.
Operation
|
Admin
|
Inventory Mgr
|
PAK Mgr
|
LicenseMgr
|
ReportMgr
|
create_user
|
X
|
|
|
|
|
delete_user
|
X
|
|
|
|
|
add_user_to_device_access_list
|
X
|
|
|
|
|
remove_user_from_device_access_list
|
X
|
|
|
|
|
remove_access_list_from_device
|
X
|
|
|
|
|
add_user_to_group_access_list
|
X
|
|
|
|
|
remove_user_from_group_access_list
|
X
|
|
|
|
|
remove_access_list_from_group
|
X
|
|
|
|
|
add_user_to_pak_access_list (2)
|
X
|
X
|
X
|
|
|
remove_user_from_pak_access_list(2)
|
X
|
X
|
X
|
|
|
discover_devices
|
X
|
|
|
|
|
poll_device_license_info (1)
|
X
|
X
|
|
|
|
create_devices_by_ip_addr
|
X
|
|
|
|
|
re_create_devices_by_ip_addr
|
X
|
|
|
|
|
create_devices_by_udi
|
X
|
|
|
|
|
check_device_connection (1)
|
X
|
X
|
X
|
X
|
X
|
read_devices (1)
|
X
|
X
|
X
|
X
|
X
|
write_devices (1)
|
X
|
X
|
|
|
|
delete_devices
|
X
|
|
|
|
|
create_device_group
|
X
|
X
|
|
|
|
rename_device_group
|
X
|
X
|
|
|
|
delete_device_group
|
X
|
X
|
|
|
|
add_devices_to_group
|
X
|
X
|
|
|
|
remove_device_from_group
|
X
|
X
|
|
|
|
download_pak_info(2)
|
X
|
X
|
X
|
|
|
create_paks
|
X
|
X
|
X
|
|
|
read_paks (2), (3)
|
X
|
X
|
X
|
X
|
X
|
write_paks (2)
|
X
|
X
|
X
|
|
|
delete_paks (2)
|
X
|
X
|
X
|
|
|
obtain_license (1)
|
X
|
X
|
X
|
X
|
|
write_licenses
|
X
|
X
|
X
|
X
|
|
get_licenses_on_device (1)
|
X
|
X
|
X
|
X
|
|
deploy_licenses (1)
|
X
|
X
|
X
|
X
|
|
rehost_licenses
|
X
|
X
|
X
|
X
|
|
resend_license
|
X
|
X
|
X
|
X
|
|
re_obtain_license (1)
|
X
|
X
|
X
|
X
|
|
annotate_license
|
X
|
X
|
X
|
X
|
|
init_rehost_licenses
|
X
|
X
|
X
|
X
|
|
revoke_license_for_rehost
|
X
|
X
|
X
|
X
|
|
obtain_license_for_rehost
|
X
|
X
|
X
|
X
|
|
get_rehost_info
|
X
|
X
|
X
|
X
|
|
write_license_lines
|
X
|
X
|
X
|
X
|
|
get_license_lines_on_device (1)
|
X
|
X
|
X
|
X
|
|
deploy_license_lines (1)
|
X
|
X
|
X
|
X
|
|
annotate_license_lines
|
X
|
X
|
X
|
X
|
|
list_expired_license_lines
|
X
|
X
|
X
|
X
|
|
create_folder
|
X
|
X
|
X
|
X
|
|
rename_folder
|
X
|
X
|
X
|
X
|
|
delete_folder
|
X
|
X
|
X
|
X
|
|
add_paks_to_folder
|
X
|
X
|
X
|
X
|
|
remove_paks_from_folder
|
X
|
X
|
X
|
X
|
|
generate_report
|
X
|
X
|
X
|
X
|
X
|
read_report
|
X
|
X
|
X
|
X
|
X
|
(1) Subject to Device/Group access control
(2) Subject to PAK access control
(3) User in PAKMgr and above roles can see PAK ID in plain text. Users in LicenseMgr and below roles can only see the last few letters/digits of PAK ID.
Device Control
An access list is associated with each device and each group. An access list contains a list of user ids that are allowed to access a particular device or group of devices. If no access list exists, the device or group is open to all users. Only users in the Admin role can modify the access list.
PAK Control
Each PAK has an owner and an access list associated with it. PAK owner is the creator of the PAK. Only PAK owner or users in the Admin role can modify the PAK access list.
Rules of Control
Users in the Admin role can perform all operations whether or not their name is in the access list.
For other users, these rules apply:
•Only PAK owner and users in its access list can perform operations on PAK object.
•If both device access list and the access list of its parent group(s) are empty, users in the InventoryMgr role can perform operations on this device.
•If device access list or the access lists of the group(s) that contain this device are not empty, only users listed in the device or group access list can operate on the device.
