Using Management Center for Firewalls 1.3
Understanding User Roles and Permissions
Download this chapter
Understanding User Roles and PermissionsUnderstanding User Roles and Permissions
Download the complete book
Using Management Center for Firewalls 1.3 - PDF VersionUsing Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB)
give_us_feedback

Table Of Contents

Understanding User Roles and Permissions

CiscoWorks Server Roles and Firewall MC Privileges

Cisco Secure ACS Roles and Privileges


Understanding User Roles and Permissions

To use Firewall MC, you must enter a username and password combination to be authenticated. After the authentication of your credentials, you have access according to the role you have been assigned. Your role is a collection of privileges that dictate the type of system access you have. If you are not authorized for certain Firewall MC tasks or for certain devices, the related Firewall MC controls are hidden or disabled.

Note When you use workflow with formal approval disabled, the button for completing (submitting) an activity or job is labeled Approve and there is no Submit button. However, you must have submittal privileges, not approval privileges, to click the Approve button in this case.

To work around this problem, make sure submittal privileges are assigned to users who must use the Approve button.

Your username and password are compared with the account information stored in the CiscoWorks or Cisco Secure Access Control Server (ACS) database, depending on which you established at installation as your AAA provider. When you install CiscoWorks Commons Services, the CiscoWorks Server provides administrative account services. By default, CiscoWorks manages authentication and authorization. You can change your AAA provider to Cisco Secure ACS before or after you install Firewall MC. See User Guide for CiscoWorks Common Services 2.2 for details.

When changing between CiscoWorks and Cisco Secure ACS authentication, you might not be able to manage the same activities and jobs. This is because you could have different privileges in the two authorization systems. As a result, you should always approve or undo remaining activities, and deploy or undo remaining jobs before changing the authentication scheme.

CiscoWorks Server Roles and Firewall MC Privileges

CiscoWorks has predetermined roles that correspond to likely functions within your organization. Any username assigned one or more role has access to the privileges enabled by the role in Firewall MC. Roles are not set up hierarchically; each role does not include all privileges of the role below it. Instead, these roles are based on user needs.

Table B-1 shows the roles in CiscoWorks that support Firewall MC.

Table B-1 CiscoWorks Roles and Descriptions 

Role1
Description

System Administrator

Can change administrative settings.

Can add and modify devices and activities.

Can close activities opened by other users.

Network Administrator

Can perform all Firewall MC operations.

Can close activities opened by other users.

Network Operator

Can make policy changes (but not device inventory changes).

Can create and deploy jobs.

Approver

Can review policy (activity) changes, and approve or reject activities.

Can approve or reject jobs.

Help Desk

Has read-only access for viewing all system data and reports that might be required to diagnose problems reported.

Export Data

Not implemented.

Developer

Not implemented.

1 All CiscoWorks roles allow you to perform Help Desk tasks.


Firewall MC defines five privilege types, described in Table B-2.

Table B-2 CiscoWorks Privilege Types 

Privilege Type
Abbreviation
Description

None

N

Cannot view information or make changes.

View

V

Read-only. Can view information, but cannot make changes.

Modify

M

Can view information and make changes.

Approve

A

Can approve activities or jobs.

Deploy

D

Can deploy and roll back jobs.

Control

C

Can close an activity opened by another user.


Table B-3 shows CiscoWorks roles and the Firewall MC activities that these roles support.

Note See Table B-2 for table abbreviations and their meanings.

Table B-3 CiscoWorks Roles and Privileges Using Firewall MC 

Activity
System
Admin
Network
Admin
Network Operator
Approver
Help Desk

Devices > Importing Devices

M

M

V

V

V

Devices > Managing Devices

M

M

V

V

V

Devices > Managing Groups

M

M

V

V

V

Configuration > Device Settings > *

V

M

M1

V

V

Configuration > Access Rules > *

V

M

M

V

V

Configuration > Translation Rules > *

V

M

M

V

V

Configuration > Building Blocks > *

V

M

M

V

V

Configuration > VPN > *

V

M

M

V

V

Configuration > View Config

V

M

M

V

V

Configuration > MC Settings > * 

M

M

V

V

V

Workflow > Activity Management

M, C

M, A, C

M

A

V

Workflow > Job Management

V

M, A, D

M, D

A

V

Deployment > Status Summary

V

V

V

V

V

Deployment > Status Summary > Status

V

V

V

N

N

Deployment > Deploy Saved Changes

M

M, D

M, D

V

V

Reports > *

V

M

V

V

V

Admin > Workflow Setup

M

M

V

V

V

Admin > Maintenance

M

M

V

V

V

Admin > Support

V

M

M

V

V

Admin > Take Over Changes

M

M

V

V

V

1 Network Operator has view-only privileges for AUS.


Cisco Secure ACS Roles and Privileges

Cisco Secure ACS 3.1, and later, supports roles that are specific to Firewall MC. User authentication with Cisco Secure ACS is more sophisticated than authentication with CiscoWorks because Cisco Secure ACS provides for a variety of privilege combinations that you can control. These result in finer control over the definition of user permission sets and user group permission sets, as well as the application of such permissions to particular devices and device sets.

Because Cisco Secure ACS is designed to apply user and administrative privileges in relation to AAA clients, you must represent the CiscoWorks Server on which Firewall MC is running—and each firewall device—as AAA clients in Cisco Secure ACS. For details, see Configuring Authentication and Authorization in User Guide for CiscoWorks Common Services 2.2.

To use Cisco Secure ACS, make sure:

You have a command authorization set that includes those commands that are required to perform a function in the Firewall MC.

You have a user role with corresponding command authorization set applied for Firewall MC.

If a Network Access Restriction (NAR) is applied to the profile, it must include the device group (or the device) that you want to administer.

You have a shell command authorization set configured if the firewall devices managed by Firewall MC use Cisco Secure ACS for command authorization.

That managed device names are spelled and capitalized identically in Cisco Secure ACS and in Firewall MC.

When using Cisco Secure ACS for authentication, an administrator can only access the Firewall MC-specific features in the Common Services desktop, such as Compact Database and Database Checkpoint, if that administrator has an identical username with system admin or network admin privileges defined in CiscoWorks Common Services.

For example, to import a PIX Firewall, ensure that the shared profile includes show config in the authorized command set, the device definition under Network Access Restrictions, and user role that includes administrative privileges.

If, for example, you have the privilege for importing firewall devices, you must have device-level permission to administer each firewall. Likewise, if you have the privilege for deploying on Firewall MC, you must have Firewall MC permission to deploy a configuration file to a PIX Firewall. If you do not have the needed permission on the device, the deployment fails.

For an understanding of TACACS+ security advantages, see the User Guide for Cisco Secure ACS.

Figure B-1 shows how the Cisco Secure ACS user-interface page defines Firewall MC roles and permissions.

Figure B-1 Cisco Secure ACS Page for Defining Firewall MC Roles and Permissions

Firewall MC defines five permission types, described in Table B-4. To define permissions, you must first select a role from a list of roles available, and then define permissions associated with that role.

Table B-4 Cisco Secure ACS Permission Types 

Permission Type
Abbreviation
Description

None

N

Cannot view information or make changes.

View

V

Read-only. Can view information, but cannot make changes.

Edit1

E

Can make changes.

Approve

A

Can approve activities or jobs.

Deploy

D

Can deploy and roll back jobs.

Control

C

Can close an activity opened by another user.

1 The edit privilege implies the view privilege.


The list of five permission types (defined in Table B-4) expands in a branching fashion when the box to the left of any permission type is double-clicked. The expansion of each permission type branch shows successive levels of activity detail in a way that mirrors the Firewall MC functional hierarchy. The listed activities are either selected (permitted) or deselected (denied) as shown by their check box. For each branch or portion of a branch, selecting an activity causes the rest of the activities in that branch to be selected. Also, if you select options under Approve, Edit, Deploy, or Control, the related View privilege is selected implicitly.

Cisco Secure ACS differentiates between privileges assigned to firewall devices and privileges assigned to Firewall MC.

Table B-5 details the default Cisco Secure ACS roles and privileges that support Firewall MC.

Table B-5 Default Firewall MC Roles and Descriptions in
Cisco Secure ACS 

Role1
Description

Super User

Can perform all Firewall MC operations.

System Admin

Can change administrative settings.

Can add and modify devices and activities.

Can close activities opened by other users.

Security Admin

Can create and define activities.

Can make policy changes.

Security Approver

Can approve activities.

Network Admin

Can create jobs.

Network Approver

Can approve jobs.

Network Operator

Can create and deploy jobs.

Help Desk

Has read-only access for viewing all system data and reports that might be required to diagnose problems reported.

1 All Cisco Secure ACS roles allow you to perform Help Desk tasks.


Cisco Secure ACS assigns eight default roles to Firewall MC that you can use. These default roles can be used as-is, or you can edit them to suit your own particular role definitions. Likewise, you can add or delete roles to suit your requirements.

Note A security approver cannot submit an activity, only approve it. This role is useful only when formal approval is enabled under Admin > Workflow Setup. If formal approval is not enabled, approval is automatic and the security approver only has the view privilege.

Table B-6 is a detailed definition of how Firewall MC roles and privileges support the five permission types ( Table B-4).

Table B-6 Details of Firewall MC Roles and Privileges assigned to Firewall MC and Devices Using Cisco Secure ACS 

Activity
Device
Type1 ,2
Roles
   
Super User
System Admin
Security Admin
Security Approver
Network Admin
Network Approver
Network Operator
Help Desk

Devices > Importing Devices

FW

E

E

E

V

V

V

V

V

FMC

E

E

E

V

V

V

V

V

Devices > Managing Devices

ANY3

E

E

E

V

V

V

V

V

Devices > Managing Groups

FW

E

E

E

V

V

V

V

V

Configuration > Device Settings > Firewall Device OS Version

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Interfaces

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Transparent Firewall

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Failover

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Auto Update Server > Server and Contact Information

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Auto Update Server >*

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Routing > *

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Firewall Device Administration > *

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Logging > *

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Servers and Services >*

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Advanced Security >*

FW

E

V

E

V

V

V

V

V

Configuration > Device Settings > Config Additions >*

FW

E

V

E

V

V

V

V

V

Configuration > Access Rules > Firewall Rules

FW

E

V

E

V

V

V

V

V

Configuration > Access Rules > AAA Rules

FW

E

V

E

V

V

V

V

V

Configuration > Access Rules > Web Filter Rules

FW

E

V

E

V

V

V

V

V

Configuration > Access Rules > Ethertype Rules

FW

E

V

E

V

V

V

V

V

Configuration > Translation Rules > Translation Exception Rules (NAT 0 ACL)

FW

E

V

E

V

V

V

V

V

Configuration > Translation Rules > Static Translation Rules

FW

E

V

E

V

V

V

V

V

Configuration > Translation Rules > Dynamic Translation Rules

FW

E

V

E

V

V

V

V

V

Configuration > Translation Rules > View All Translations

FW

V

V

V

V

V

V

V

V

Configuration > Building Blocks > Network Objects

FW

E

V

E

V

V

V

V

V

Configuration > Building Blocks > Service Definitions

FW

E

V

E

V

V

V

V

V

Configuration > Building Blocks > Service Groups

FW

E

V

E

V

V

V

V

V

Configuration > Building Blocks > AAA Server Group

FW

E

V

E

V

V

V

V

V

Configuration > Building Blocks > Address Translation Pools

FW

E

V

E

V

V

V

V

V

Configuration > Building Blocks > IPSec Transform Sets

FW

E

V

E

V

V

V

V

V

Configuration > Building Blocks > IPSec Tunnel Templates

FW

E

V

E

V

V

V

V

V

Configuration > Building Blocks > Categories

FW

E

V

E

V

V

V

V

V

Configuration >VPN >IKE Options

FW

E

V

E

V

V

V

V

V

Configuration >VPN >Tunnels

FW

E

V

E

V

V

V

V

V

Configuration >VPN >Tunnel Rules

FW

E

V

E

V

V

V

V

V

Configuration >VPN >Remote Access

FW

E

V

E

V

V

V

V

V

Configuration >VPN >Sysopt

FW

E

V

E

V

V

V

V

V

Configuration > View Config >Generate Config

FW

E

V

E

V

V

V

V

V

Configuration > View Config >Generate and View Difference With Last Deployed Config

FW

E

V

E

V

V

V

V

V

Configuration > View Config >Generate and View Difference With Running Config

FW

E

V

E

V

V

V

V

V

Configuration > View Config

FW

E

V

E

V

V

V

V

V

Configuration > View Config

FW

E

V

E

V

V

V

V

V

Configuration > MC Settings > Management

FW

E

E

V

V

V

V

V

V

Configuration > MC Settings > Deployment

FW

E

E

V

V

V

V

V

V

Configuration > MC Settings > Import

FW

E

E

V

V

V

V

V

V

Configuration > MC Settings > Feature Tracking

FW

E

E

V

V

V

V

V

V

Configuration > MC Settings > Object Grouping

FW

E

E

V

V

V

V

V

V

Configuration > MC Settings > VPN Settings

FW

E

E

V

V

V

V

V

V

Workflow > Activity Management

FW

E, A

E

E

A

V

V

V

V

FMC

E, C

E, C

V

V

V

V

V

V

Workflow > Job Management

FW

E, A, D

V

V

V

E

A

D

V

Deployment > Status Summary

FW

V

V

V

V

V

V

V

V

Deployment > Status Summary > Status

FW

V

N

V

N

V

N

V

N

Deployment > Deploy Saved Changes

FW

E, D

V

V

V

E

V

D

V

Reports > Activity

ANY

E

V

E

V

E

V

V

V

Reports > Configuration Differences

FW

E

V

E

V

E

V

V

V

Reports > Settings

FW

E

V

E

V

E

V

V

V

Reports > Policy Query

FW

E

V

E

V

E

V

V

V

Admin > Workflow Setup

FMC

E

E

V

V

V

V

V

V

Admin > Maintenance

FMC

E

E

V

V

V

V

V

V

Admin > Support

FW

E

V

E

V

V

V

V

V

Admin > Take Over Changes

FW

E

V

E

V

V

V

V

V

1 The device type FW refers to either a PIX Firewall or a Firewall Services Module (FWSM).

2 The device type reference to FMC refers to Firewall MC.

3 The device type ANY means that full authorization for that activity is granted if the user has the edit privilege for any device in Firewall MC. For example, a user who has the Devices > Managing Devices - Edit privilege for one device in Firewall MC is granted Devices > Managing Devices - Edit privilege for all devices. Even if that user has view only privileges for a specific device, that user can delete any device under Managing Devices. Therefore, the edit privilege should only be granted to trusted users.