Table of Contents
Understanding User Roles and Permissions
CiscoWorks Server Roles and Firewall MC Privileges
Cisco Secure ACS Roles and Privileges
Understanding User Roles and Permissions
Use of Firewall MC requires that your username and password be authenticated. After your username and password are authenticated, your authorization is based on the privileges that you have. Your role is a collection of privileges that dictate the type of system access you have. If you are not authorized for certain Firewall MC tasks or for certain devices, the related Firewall MC controls are hidden or disabled.
 |
Note When you use workflow with formal approval disabled, the button for completing (submitting) an activity or job is labeled Approve and there is no Submit button. However, you must have submittal privileges, not approval privileges, to click the Approve button in this case. |
To work around this problem, make sure submittal privileges are assigned to users who must use the Approve button.
Your username and password are compared with the account information stored in the CiscoWorks or Cisco Secure Access Control Server (ACS) database, depending on which you established at installation as your AAA provider. When you install CiscoWorks Commons Services, the CiscoWorks Server provides administrative account services. By default, CiscoWorks manages authentication and authorization. You can change your AAA provider to Cisco Secure ACS before or after you install Firewall MC. See User Guide for CiscoWorks Common Services 2.2 for details.
When changing between CiscoWorks and Cisco Secure ACS authentication, you might not be able to manage the same activities and jobs. This is because you could have different privileges in the two authorization systems. As a result, you should always approve or undo remaining activities, and deploy or undo remaining jobs before changing the authentication scheme.
CiscoWorks Server Roles and Firewall MC Privileges
CiscoWorks has predetermined roles that correspond to likely functions within your organization. Any username assigned one or more role has access to the privileges enabled by the role in Firewall MC. Roles are not set up hierarchically; each role does not include all privileges of the role below it. Instead, these roles are based on user needs.
Table B-1 shows the roles in CiscoWorks that support Firewall MC.
Table B-1 CiscoWorks Roles and Descriptions
| Role1 |
Description |
|
System Administrator
|
Can change administrative settings.
Can add and modify devices and activities.
Can close activities opened by other users.
|
|
Network Administrator
|
Can perform all Firewall MC operations.
Can close activities opened by other users.
|
|
Network Operator
|
Can make policy changes (but not device inventory changes).
Can create and deploy jobs.
|
|
Approver
|
Can review policy (activity) changes, and approve or reject activities.
Can approve or reject jobs.
|
|
Help Desk
|
Has read-only access for viewing all system data and reports that might be required to diagnose problems reported.
|
|
All CiscoWorks roles allow you to perform Help Desk tasks.
|
Firewall MC defines five privilege types, described in Table B-2.
Table B-2 CiscoWorks Privilege Types
| Privilege Type |
Abbreviation |
Description |
|
View
|
V
|
Read-only. Can view information, but cannot make changes.
|
|
Modify1
|
M
|
Can make changes.
|
|
Approve
|
A
|
Can approve activities or jobs.
|
|
Deploy
|
D
|
Can deploy and roll back jobs.
|
|
Control
|
C
|
Can close an activity opened by another user.
|
|
The modify privilege implies the view privilege.
|
Table B-3 shows CiscoWorks roles and the Firewall MC activities that these roles support.
|
Note See Table B-2 for table abbreviations and their meanings. |
Table B-3 CiscoWorks Roles and Privileges Using the Firewall MC GUI
| Activity |
System
Admin |
Network
Admin |
Network Operator |
Approver |
Help Desk |
|
Devices > Importing Devices
|
M
|
M
|
V
|
V
|
V
|
|
Devices > Managing Devices
|
M
|
M
|
V
|
V
|
V
|
|
Devices > Managing Groups
|
M
|
M
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device OS Version
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Device Settings > Interfaces
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Device Settings > Failover
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Device Settings > Auto Update Server
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Device Settings > Routing
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device Administration
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Device Settings > Logging
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Device Settings > Servers and Services
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Device Settings > Config Additions
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Access Rules
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Translation Rules
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Building Blocks > Network Objects
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Building Blocks > Service Definitions
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Building Blocks > Service Groups
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Building Blocks > AAA Server Groups
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Building Blocks > Address Translation Pools
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > Building Blocks > Categories
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > View Config
|
V
|
M
|
M
|
V
|
V
|
|
Configuration > MC Settings > Management
|
M
|
M
|
V
|
V
|
V
|
|
Configuration > MC Settings > Deployment
|
M
|
M
|
V
|
V
|
V
|
|
Configuration > MC Settings > Import
|
M
|
M
|
V
|
V
|
V
|
|
Configuration > MC Settings > Feature Tracking
|
M
|
M
|
V
|
V
|
V
|
|
Configuration > MC Settings > Object Grouping
|
M
|
M
|
V
|
V
|
V
|
|
Workflow > Activity Management
|
M, C
|
M, A, C
|
M
|
A
|
V
|
|
Workflow > Job Management
|
C
|
M, A, D, C
|
M, D
|
A
|
V
|
|
Deployment > Status Summary
|
M
|
M
|
M
|
V
|
V
|
|
Deployment > Deploy Saved Changes
|
M, D
|
M, D
|
M, D
|
V
|
V
|
|
Reports > Activity
|
M
|
M
|
M
|
V
|
V
|
|
Reports > Stale Devices
|
M
|
M
|
M
|
V
|
V
|
|
Reports > Settings
|
M
|
M
|
M
|
V
|
V
|
|
Admin > Workflow Setup
|
M
|
M
|
V
|
V
|
V
|
|
Admin > Maintenance
|
M
|
M
|
V
|
V
|
V
|
|
Admin > Support
|
V
|
M
|
M
|
V
|
V
|
|
Cisco Secure ACS Roles and Privileges
Cisco Secure ACS 3.1, and later, supports roles that are specific to Firewall MC. User authentication with Cisco Secure ACS is more sophisticated than CiscoWorks authentication because Cisco Secure ACS provides for a variety of privilege combinations that you can control. These include finer control over the definition of user permission sets and user group permission sets, as well as the application of such permissions to devices and device sets.
Because Cisco Secure ACS is designed to apply user and administrative privileges in relation to AAA clients, you must represent the CiscoWorks Server on which Firewall MC is running—and each firewall device—as AAA clients in Cisco Secure ACS. For details, see Configuring Authentication and Authorization in User Guide for CiscoWorks Common Services 2.2.
To use Cisco Secure ACS, ensure:
- You have a command authorization set that includes those commands that are required to perform a function in the Firewall MC.
- You have a user role with corresponding command authorization set applied for Firewall MC.
- If a Network Access Restriction (NAR) is applied to the profile, it must include the device group (or the device) that you want to administer.
- In adding the Firewall MC as a AAA client, you can use the keyword
dynamic in place of an IP address if the firewall devices managed by Firewall MC never directly request AAA services of Cisco Secure ACS.
- If the firewall devices managed by Firewall MC use Cisco Secure ACS for command authorization, make sure that you have a shell command authorization set configured.
- That managed device names are spelled and capitalized identically in Cisco Secure ACS and in Firewall MC.
For example, to import a PIX Firewall, ensure that the shared profile includes show config in the authorized command set, the device definition under Network Access Restrictions, and user role that includes administrative privileges.
If, for example, you have the privilege for importing firewall devices, you must have device-level permission to administer each firewall. Likewise, if you have the privilege for deploying on Firewall MC, you must have Firewall MC permission to deploy a configuration file to a PIX Firewall. If you do not have the needed permission on the device, the deployment fails.
For an understanding of TACACS+ security advantages, see the User Guide for Cisco Secure ACS.
Figure B-1 shows how the Cisco Secure ACS user-interface page defines Firewall MC roles and permissions.
Figure B-1 Cisco Secure ACS Page for Defining Firewall MC Roles and Permissions
Cisco Secure ACS assigns eight default roles to Firewall MC, but you can add or delete user-defined roles when you customize your role and permission settings. Also, if you select options under Approve, Edit, Deploy, or Control, the related view privilege is selected implicitly.
Table B-4 is an example of how Cisco Secure ACS roles and privileges can be set to support Firewall MC.
Table B-4 Example of Firewall MC Roles and Descriptions in Cisco Secure ACS
| Role1 |
Description |
|
Super User
|
Can perform all Firewall MC operations.
|
|
System Admin
|
Can change administrative settings.
Can add and modify devices and activities.
Can close activities opened by other users.
|
|
Security Admin
|
Can create and define activities.
Can make policy changes.
|
|
Security Approver
|
Can approve activities.
|
|
Network Admin
|
Can create jobs.
|
|
Network Approver
|
Can approve jobs.
|
|
Network Operator
|
Can create and deploy jobs.
|
|
Help Desk
|
Has read-only access for viewing all system data and reports that might be required to diagnose problems reported.
|
|
All Cisco Secure ACS roles allow you to perform Help Desk tasks.
|
|
Note A security approver cannot submit an activity, only approve it. This role is useful only when formal approval is enabled under Admin>Workflow Setup. If formal approval is not enabled, approval is automatic and the security approver only has the view privilege. |
Firewall MC defines five permission types, described in Table B-5. To define permissions, you must first select a role from a list of roles available, and then define permissions associated with that role.
Table B-5 Cisco Secure ACS Permission Types
| Permission Type |
Abbreviation |
Description |
|
View
|
V
|
Read-only. Can view information, but cannot make changes.
|
|
Edit1
|
E
|
Can make changes.
|
|
Approve
|
A
|
Can approve activities or jobs.
|
|
Deploy
|
D
|
Can deploy and roll back jobs.
|
|
Control
|
C
|
Can close an activity opened by another user.
|
|
The edit privilege implies the view privilege.
|
Cisco Secure ACS differentiates between privileges assigned to firewall devices and privileges assigned to Firewall MC.
Table B-6 shows how you might define Firewall MC roles and privileges to support the five permission types (Table B-5).
Table B-6 Example of Firewall MC Roles and Privileges assigned to Firewall MC and Devices
Using Cisco Secure ACS
| Activity |
Device
Type1,2 |
Roles |
| |
|
Super User |
System Admin |
Security Admin |
Security Approver |
Network Admin |
Network Approver |
Network Operator |
Help Desk |
|
Devices > Importing Devices
|
FW
|
E
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
|
FMC
|
E
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Devices > Managing Devices
|
FW
|
E
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Devices > Managing Groups
|
FW
|
E
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device OS Version
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Interfaces
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Failover
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Auto Update Server > Server and Contact Information
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Auto Update Server > Device AUS Settings
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Auto Update Server > Unique Identity
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Routing > Static Route
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Routing > RIP
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Routing > Proxy ARP
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device Administration > Password
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info
|
FW
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device Administration > HTTPS (SSL)
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device Administration > Telnet
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device Administration > Secure Shell
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device Administration > SNMP
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device Administration > ICMP Interface Rules
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Firewall Device Administration > AAA Admin Authentication
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Logging > Logging Setup
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Logging > Syslog
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Logging > ACL Syslog
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Logging > Logging Level
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Logging > Rate Limit Level
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Logging > Rate Limit Message
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Servers and Services > Authentication Prompts
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Servers and Services > URL Filter Server
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Servers and Services > DHCP Server
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Servers and Services > DHCP Relay Agent
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Servers and Services > DHCP Relay Server
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Servers and Services > TFTP Server
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Servers and Services > Easy VPN Remote
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Servers and Services > Easy VPN Management
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > IDS Policy
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > IDS Signatures
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > Anti-spoofing
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > Fragments
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > TCP Options
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > Timeouts
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > Basic Fixups
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > Multimedia Fixups
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > Flood Guard
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Advanced Security > Turbo ACLs
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Config Additions > Beginning Commands
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Device Settings > Config Additions > Ending Commands
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Access Rules > Firewall Rules
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Access Rules > AAA Rules
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Access Rules > Web Filter Rules
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Translation Rules > Static Translation Rules
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Translation Rules > Dynamic Translation Rules
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Translation Rules > Translation Exception Rules (NAT 0 ACL)
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Building Blocks > Network Objects
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Building Blocks > Service Definitions
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Building Blocks > Service Groups
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Building Blocks > AAA Server Group
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Building Blocks > Address Translation Pools
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > Building Blocks > Categories
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > View Config
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > MC Settings > Management
|
FW
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > MC Settings > Deployment
|
FW
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > MC Settings > Import
|
FW
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > MC Settings > Feature Tracking
|
FW
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
V
|
|
Configuration > MC Settings > Building Blocks
|
FW
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
V
|
|
Workflow > Activity Management
|
FW
|
E, A
|
E
|
E
|
A
|
V
|
V
|
V
|
V
|
|
FMC
|
E, C
|
E, C
|
V
|
V
|
V
|
V
|
V
|
V
|
|
Workflow > Job Management
|
FW
|
E, A, D
|
V
|
V
|
V
|
E
|
A
|
D
|
V
|
|
Deployment > Status Summary
|
FW
|
E
|
E
|
E
|
V
|
E
|
V
|
V
|
V
|
|
Deployment > Deploy Saved Changes
|
FW
|
E, D
|
V
|
V
|
V
|
E
|
V
|
D
|
V
|
|
Reports > Activity
|
FW
|
V
|
V
|
E
|
V
|
E
|
V
|
V
|
V
|
|
Reports > Stale Devices
|
FW
|
V
|
V
|
E
|
V
|
E
|
V
|
V
|
V
|
|
Reports > Settings
|
FW
|
V
|
V
|
E
|
V
|
E
|
V
|
V
|
V
|
|
Admin > Workflow Setup
|
FMC
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
V
|
|
Admin > Maintenance
|
FMC
|
E
|
E
|
V
|
V
|
V
|
V
|
V
|
V
|
|
Admin > Support
|
FW
|
E
|
V
|
E
|
V
|
V
|
V
|
V
|
V
|
|
The device type FW refers to either a PIX Firewall or a Firewall Services Module (FWSM).
The device type reference to FMC refers to Firewall MC.
|
