Table of Contents
User Roles and Permissions for AUS
CiscoWorks2000 Server Roles and Privileges
Cisco Secure ACS Roles and Privileges
User Roles and Permissions for AUS
Use of AUS requires authentication of your username and password. Your username and password pair are compared to either the CiscoWorks2000 Server or Cisco Secure Access Control Server (ACS) database, depending on which you configured as your AAA provider.
After authentication, your authorization is based on the privileges that you have. A privilege is a task or operation defined within the tool. The set of privileges assigned to you defines your role and dictates how much and what type of system access you have.
When you installed CiscoWorks Common Services, the CiscoWorks2000 Server was chosen to provide AAA services by default. You can change this to ACS before or after installing AUS. See Using CiscoWorks Common Services for details.
CiscoWorks2000 Server Roles and Privileges
When you perform an action to device groups using the CiscoWorks2000 Server AAA method, the action is authorized according to the objects in the device groups.
The CiscoWorks2000 Server has five role types that correspond to likely functions within your organization. Roles are not set up hierarchically, with each role to include all privileges of the role "below" it. Instead, these roles are based on user needs. Other roles are displayed depending on your tools.
Table B-1 shows the roles in CiscoWorks2000 Server that support AUS.
Table B-1 CiscoWorks2000 Roles
| Role |
Description |
|
System Administrator
|
Can perform all CiscoWorks2000 Server and AUS tasks. You use this role for adding users, setting user passwords, and assigning user roles and privileges.
|
|
Network Administrator
|
Can perform CiscoWorks2000 Server administrative tasks; for example, add or edit devices, device hierarchies, policies, and administrative settings.
|
|
Network Operator
|
Can create and submit jobs.
|
|
Approver
|
Can review policy changes and accept or reject changes.
|
|
Help Desk1
|
Has read-only access for viewing devices, device groups, and the entire scope of a VPN.
|
| All CiscoWorks2000 Server roles allow you to perform Help Desk tasks. |
Table B-2 shows CiscoWorks2000 roles and AUS activities that these roles support.
Table B-2 CiscoWorks2000 Roles
| Activity |
System
Admin |
Network
Admin |
Network Operator |
Approver |
Help Desk |
|
View Devices
|
X
|
X
|
X
|
X
|
X
|
|
View Images
|
X
|
X
|
X
|
X
|
X
|
|
View Assignments
|
X
|
X
|
X
|
X
|
X
|
|
View Reports
|
X
|
X
|
X
|
X
|
X
|
|
View Administrative settings
|
X
|
X
|
X
|
X
|
X
|
|
Modify Devices
|
X
|
X
|
-
|
X
|
-
|
|
Modify Images
|
X
|
X
|
-
|
-
|
-
|
|
Modify Assignments
|
X
|
X
|
-
|
-
|
-
|
|
Modify Reports
|
X
|
X
|
-
|
-
|
-
|
|
Modify Administrative settings
|
X
|
X
|
-
|
-
|
-
|
Cisco Secure ACS Roles and Privileges
Cisco Secure ACS supports roles that are application-specific. A higher-level role includes all privileges associated with lower-level roles. Figure B-1 shows the ACS page used to define AUS roles and permissions.
AUS checks authorization against itself, not on a per-device basis. For an understanding of ACS security advantages, see Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide.
Figure B-1 ACS Page Used to Define AUS Roles and Permissions
ACS assigns four roles to AUS:
- Two reader roles, corresponding to Guest or Help Desk roles:
-
- Two writer roles, corresponding to a combination of Help Desk roles plus those of System Administrator, Approver, Network Administrator, and Network Operator:
-
Reader roles in the CiscoWorks2000 Server and exclude writing privileges, whereas writer roles include reading and writing privileges. GUI roles address requests that come from the GUI and API roles address requests that come from a third-party interface.
 |
Note For communication between PIX MC and AUS to be successful, the username and password entered into the PIX MC AUS contact page must be associated with the API_Writer role, or a role that has the same privileges. |
Table B-3 shows API_Reader and GUI_Reader privileges.
Table B-3 API_Reader and GUI_Reader Role
| Privilege |
Description |
|
Device View
(API_View_Device, GUI_View_Device)
|
Allows you to view device information.
|
|
Image View
(API_View_Images, GUI_View_Images)
|
Allows you to gather information about software images.
|
|
Assignment View
(API_View_Assignment, GUI_View_Assignment)
|
Allows you to gather information about assignments and to display information about device-to-file and file-to-device assignments.
|
|
Reports View
(API_View_Reports, GUI_View_Reports)
|
Allows you to display system summary and event reports.
|
|
Admin View
(API_View_Admin, GUI_View_Admin)
|
Allows you to display AUS administrative information.
|
Table B-4 shows GUI_Writer privileges.
Table B-4 GUI_Writer Role
| Privilege |
Description |
|
Device View
(GUI_View_Device)
|
Allows you to view device summary information.
|
|
Image View
(GUI_View_Images)
|
Allows you to gather information about software images.
|
|
Assignment View
(GUI_View_Assignment)
|
Allows you to gather information about assignments and to display information about device-to-file and file-to-device assignments.
|
|
Reports View
(GUI_View_Reports)
|
Allows you to display system summary and event reports.
|
|
Admin View
(GUI_View_Admin)
|
Allows you to display AUS administrative information.
|
|
Device Force Auto Update
(GUI_Modify_Device)
|
Allows you to force a device to contact AUS.
|
|
Image Add and Delete
(GUI_Modify_Image)
|
Allows you to add image files to and delete image files from AUS.
|
|
Assignment Add and Delete
(GUI_Modify_Assignment)
|
Allows you to assign a file to devices and devices to a file.
|
|
Admin Modify
(GUI_Modify_Admin)
|
Allows you to modify some AUS administrative configurations, such as database passwords.
|
Table B-5 shows API_Writer privileges, which include all of the GUI_Writer privileges, plus device and configuration add and delete privileges.
Table B-5 API_Writer Role
| Privilege |
Description |
|
Device View
(API_View_Device)
|
Allows you to view device information.
|
|
Image View
(API_View_Images)
|
Allows you to gather information about software images.
|
|
Assignment View
(API_View_Assignment)
|
Allows you to gather information about assignments and to display information about device-to-file and file-to-device assignments.
|
|
Reports View
(API_View_Reports)
|
Allows you to display system summary and event reports.
|
|
Admin View
(API_View_Admin)
|
Allows you to display AUS administrative information.
|
|
Device Add and Delete
(API_Modify_Device)
|
Allows you to assign devices to and delete devices from images.
|
|
Device Force Auto Update
(API_Modify_Device)
|
Allows you to force a device to contact AUS.
|
|
Image Add and Delete
(GUI_Modify_Image)
|
Allows you to add image files to and delete image files from AUS.
|
|
Configuration Add and Delete (API_Modify_Images)
|
Allows you to add configuration files to and delete configuration files from AUS.
|
|
Assignment Add and Delete
(GUI_Modify_Assignment)
|
Allows you to assign a file to devices and devices to a file; also allows you to delete assignments.
|
|
Admin Modify
(API_Modify_Admin)
|
Allows you to modify some AUS administrative configurations, such as database passwords.
|
