User Roles and Permissions
Your username and password must be authenticated for you to use AUS. Your username and password pair are compared with either the CiscoWorks Server or Cisco Secure Access Control Server (ACS) database, depending on which you configured to use with AUS.
After authentication, your authorization is based on the privileges that were assigned to you. A privilege is a task or operation defined within the application. The set of privileges assigned to you defines your role and dictates how much and what type of system access you have.
These topics provide details about the user roles and permissions associated with the two types of authentication methods:
•
AUS Privileges
•CiscoWorks Server Roles and AUS Privileges
•Cisco Secure ACS Roles and AUS Privileges
AUS Privileges
AUS privileges are the major actions that you can perform. These privileges are assigned to the CiscoWorks Server and ACS roles described in the following sections:
•CiscoWorks Server Roles and AUS Privileges
•Cisco Secure ACS Roles and AUS Privileges
The following table lists the AUS privileges.
Table B-1 AUS Privileges
|
|
|
API_View_Device
GUI_View_Device |
Allows you to view device information. |
API_View_Images
GUI_View_Images |
Allows you to display information about software images. |
API_View_Assignment
GUI_View_Assignment |
Allows you to gather and display information about device-to-file and file-to device assignments. |
API_View_Reports
GUI_View_Reports |
Allows you to display system summary information and event reports. |
API_View_Admin
GUI_View_Admin |
Allows you to display AUS administrative information. |
API_Modify_Device
GUI_Modify_Device |
Allows you to force a device to contact AUS. |
API_Modify_Images
GUI_Modify_Image |
Allows you to add images to and delete images from AUS. |
API_Modify_Assignment
GUI_Modify_Assignment |
Allows you to assign a file to devices and devices to a file. |
API_Modify_Admin
GUI_Modify_Admin |
Allows you to change AUS administrative configuration settings. |
CiscoWorks Server Roles and AUS Privileges
When you perform an action to devices using the CiscoWorks Server authentication method, the action is authorized according to the selected device.
The CiscoWorks Server has five roles that correspond to likely functions within your organization.
The following table lists roles for use with AUS.
Table B-2 CiscoWorks Roles
|
|
|
System Administrator |
Can perform all CiscoWorks Server and AUS tasks, for example, add users, set user passwords, add or delete images, and delete assignments. |
Network Administrator |
Can perform CiscoWorks Server administrative tasks and has the same privileges as the system adminstrator. |
Network Operator |
Has read-only access to all information in AUS. |
Approver |
Can modify devices. Has read-only access for images, assignments, reports, and administration tasks. |
Help Desk |
Has read-only access to all information in AUS. |
Table B-3 lists AUS roles and their supported privileges. See Table B-1 for descriptions of the privileges.
Table B-3 CiscoWorks Roles and AUS Privileges
|
|
|
|
|
|
|
|
|
API_View_Device
GUI_View_Device |
X |
X |
X |
X |
X |
API_View_Images
GUI_View_Images |
X |
X |
X |
X |
X |
API_View_Assignment
GUI_View_Assignment |
X |
X |
X |
X |
X |
API_View_Reports
GUI_View_Reports |
X |
X |
X |
X |
X |
API_View_Admin
GUI_View_Admin |
X |
X |
X |
X |
X |
API_Modify_Device
GUI_Modify_Device |
X |
X |
- |
X |
- |
API_Modify_Images
GUI_Modify_Image |
X |
X |
- |
- |
- |
API_Modify_Assignment
GUI_Modify_Assignment |
X |
X |
- |
- |
- |
API_Modify_Admin
GUI_Modify_Admin |
X |
X |
- |
- |
- |
Cisco Secure ACS Roles and AUS Privileges
Cisco Secure ACS supports roles that are application-specific. A higher-level role includes all privileges associated with lower-level roles. Unlike other applications that use ACS for authentication, AUS checks authorization with itself, not on a per-device basis.
You can use the AUS roles already defined in ACS, or you can create your own, customized roles.
For more information about using ACS and for an understanding of ACS security advantages, see the User Guide for Cisco Secure ACS for Windows Server.
The following table lists the default roles for use with AUS.
Table B-4 ACS Roles
|
|
|
System Administrator |
Full privileges (superuser). |
Network Administrator |
Full privileges (superuser). |
Network Operator |
Read privileges for the GUI. |
AUS Remote Interface |
Privileges to access only the external interface and not the GUI. |
Help Desk |
Read-only privileges for nonsensitive data. |
API Reader |
Read privileges for the external interface. |
API Writer |
Read and write privileges for the external interface. |
GUI Reader |
Read privileges for viewing information on the GUI. |
GUI Writer |
Read and write privileges for viewing and modifying information on the GUI. |
Note For communication between Security Manager and AUS to be successful, the username and password entered for AUS in Security Manager must be associated with the API_Writer role, a role that has the same privileges, or the AUS remote interface.
Table B-5 lists the default AUS roles and their supported privileges. See Table B-1 for descriptions of the privileges.
Table B-5 ACS Roles and AUS Privileges
|
|
|
|
|
|
|
|
|
|
|
|
API_View_Device |
X |
X |
X |
- |
X |
- |
X |
- |
GUI_View_Device |
X |
X |
X |
X |
|
X |
- |
X |
API_View_Images |
X |
X |
X |
- |
X |
- |
X |
- |
GUI_View_Images |
X |
X |
X |
X |
|
X |
- |
X |
API_View_Assignment |
X |
X |
X |
- |
X |
- |
X |
- |
GUI_View_Assignment |
X |
X |
X |
X |
|
X |
- |
X |
API_View_Reports |
X |
X |
X |
- |
X |
- |
X |
- |
GUI_View_Reports |
X |
X |
X |
X |
|
X |
- |
X |
API_View_Admin |
X |
X |
X |
X |
X |
- |
X |
- |
GUI_View_Admin |
X |
X |
X |
- |
- |
X |
- |
X |
API_Modify_Device |
X |
X |
- |
- |
- |
- |
X |
- |
GUI_Modify_Device |
X |
X |
- |
- |
- |
- |
- |
X |
API_Modify_Images |
X |
X |
- |
- |
- |
- |
X |
- |
GUI_Modify_Images |
X |
X |
- |
- |
- |
- |
- |
X |
API_Modify Assignment |
X |
X |
- |
- |
- |
- |
X |
- |
GUI_Modify_Assignment |
X |
X |
- |
- |
- |
- |
- |
X |
API_Modify_Admin |
X |
X |
- |
- |
- |
- |
X |
- |
GUI_Modify_Admin |
X |
X |
- |
- |
- |
- |
- |
X |
Feedback