Downloads |
 Feedback
|
Table Of Contents
About Conditions Governing Policies
Cisco APE User Model
This chapter describes the following sections:
•
About Conditions Governing Policies
Object Attributes
You can configure and operate Cisco APE through a set of data classified as objects that are arranged in a hierarchy. Each object contains attributes that define the behavior of each object.
This chapter describes the attributes of the following objects:
•
•
•
•
•
•
•
About Users
Users represent both the Cisco APE system administrators and the operators.
Table 2-1 lists user attributes, which you can set or change.
Note
About Resources
Resources are provided by various devices to which you must control access. Resources can be offered by any kind of device (Telco device, IOS devices, and so on). Any resource that can be accessed through an IP address, or Domain Name System (DNS) and an optional network port is a resource. The term, resource also represents objects that you can authorize access to by using Cisco APE.
Operators can browse and connect to a resource. Also, the TACACS+ server can process authorization requests against resources.
Table 2-2 lists resource attributes which you can set or change.
Table 2-2 Resource Attributes
Name
Required. Must be unique within the resource location. Can be a string up to 128 printable characters
Description
Optional. Can be a string up to 255 printable characters.
IP address
Optional. Must be in the IP address format. Cisco IOS allows you to create an alias for line IDs and Hunt groups on a given Cisco IOS device to an IP address, and attempts to connect to the alias are routed through the Cisco IOS device to the line or Hunt group. You can use this IP address in the URL provided in the operators' UI.
Note
Network port
Required. Must be an integer. An operator can Telnet to this port to access the resource. In the case of devices hanging off a serial line, this information can be used to determine the line ID that the resource is attached to. This is necessary for authorization.
Enabled or disabled flag
Required. The default value is Enabled. This is a toggle setting on a device. When you set the switch to Disable it will not accept any authorization requests, and the Resource does not appear on the operators' UI.
DNS Name
This is an optional value and must be in the standard DNS name format. You can provide this name when you use the IP address alias feature. The DNS name then maps to the alias IP address. (See IP address attribute)
Note
About Hunt Group Resources
A Hunt group is a collection of devices. These devices are associated together such that incoming calls to the Hunt group are automatically distributed across the set of lines by an algorithm. When an operator connects to a Hunt group, the T+ device routes the connection to one of the lines making up the Hunt group. The lines can all go to one physical device or to multiple devices.
A Hunt group resource represents a Hunt group on a Cisco IOS device. You can use the resource to control access to that Hunt group. You can add a Hunt group resource to a role instead of adding each resource in that Hunt group to a Role.
Table 2-3 lists Hunt group resource attributes that you can set or change.
Table 2-3 Hunt Group Resource Attributes
Name
Required. Must be unique within the resource location. Can be a string up to 128 printable characters
Description
Optional. Can be a string up to 255 printable characters.
IP address
Optional if you have entered the network port attribute; required if you have not entered the network port.
Note
Cisco IOS allows you to create an alias for line IDs and Hunt groups on a given Cisco IOS device to an IP address, and attempts to connect to the alias are routed through the Cisco IOS device to the Hunt group. You can use this alias IP address in the URL provided in the operators' UI.
Note
Network Port
The port to which an operator Telnets to access the resource. In the case of devices hanging off a serial line, you can use this information to determine the line ID.
Optional if you have entered the IP address; required if you have not entered the IP address. Must be an integer. You can enter both the IP address and the network port.
Enabled or Disabled Flag
Required. The default value is Enabled. This is a toggle setting on a device. When you set it to Disable, the resource does not appear on the operators' UI.
DNS Name
Optional. Must be in the standard DNS name format. Enter this name when you use the IP address alias feature. The DNS name then maps to the alias IP address. (See IP address.)
About Authorization Devices
An authorization device represents a TACACS+ device or client in the system. The authorization device enforces access control to resources.
Specifying and defining Authorization devices in this system serves two functions:
•
•
Note
Table 2-4 lists authorization device attributes which you can set or change.
About Roles
Roles are relationships of permissions, resources, policies, and users. Use roles to:
•
•
Roles are defined based on unique positions in an organizational structure. Associate access rights with these roles based on the tasks that you assign to a user in a role.
Table 2-5 lists role attributes that you can set or change.
About Resource Types
Resource types are a classification and navigation mechanism for resources.
Table 2-6 lists resource type attributes that you can set or change.
About Locations
Locations are a classification and navigation mechanism for resources. Locations refer to a geographical region of a device or an operator.
Note
Table 2-7 lists location attributes that you can set or change.
About Policies
Policies are rules that apply to roles for access control. Policies allow you to attach business logic to roles. This logic ensures that certain conditions are true before allowing a role to be used in satisfying an authorization request.
Table 2-8 lists policy attributes that you can set or change.
About Conditions Governing Policies
Resource in Location X
This condition evaluates to true if the location of the resource specified in the authorization request is equal to or under the location specified by you (X). When configuring this condition, you must provide a valid location.
Example:
Resource in /US/MA/Middlesex
This condition evaluates to true for any resource with a location of /US/MA/Middlesex or a location under /US/MA/Middlesex.
User in Location YThis condition evaluates to true if the location of the user specified in the authorization request is equal to or under the location specified by you (Y). When configuring this condition, you must provide a valid location.
Example:
User in /US/MA/Middlesex
This condition evaluates to true for any user with a location of /US/MA/Middlesex or a location under /US/MA/Middlesex.
Resource in User's LocationThis condition evaluates to true if the location of the resource specified in the authorization request is equal to or under the location of the user specified in the authorization request. When selecting this condition, you do not need to provide any other input.
Resource is a Resource Type ZThis condition evaluates to true if the resource type of the resource specified in the authorization request is equal to or under the resource type specified by you (Z). When configuring this condition, you must provide a valid resource type.
Example:
Resource is a Cisco/IOS/Switch
This condition evaluate to true for any resource with a resource type of Cisco/IOS/Switch or a resource type under Cisco/IOS/Switch.
Remote Address is A.B.C.DThis condition evaluates to true if the RemoteAddress specified in the authorization request is equal to the one specified by the administrator (A.B.C.D).
Example:
Remote Address is 10.1.1.19
Relationships of Objects
This section describes the data model of Cisco APE and how all the objects work together.
Relationship Between Users and Roles
A user may or may not belong to a role. You can establish this relationship when you are configuring Cisco APE and define which users are members of a particular role. When roles refer to users, it is an indication that a user is a member of that role. A user can be a member of zero or more roles, and roles can refer to zero or more users.
When a role refers to a user, the role can refer to different sets of users:
•
•
•
Relationship Between Users and Locations
•
•
•
•
•
Relationship Between Users and Policies
A user and a policy may or may not be related. This is a dynamic relationship, and is established during an authorization request after you have configured the system. When users request access to a device, a policy can evaluate attributes of users, such as their location to assist in access control.
Relationship Between Resources and Roles
•
•
•
A role can also refer to a predefined resource group. You can create a role which applies to all resources, or create roles which use policies to choose the resources for which the roles apply.
Relationship Between Resources and Resource Types
A resource may have one resource type. Zero or more resources can have the same resource type.
By using policies, you can grant access to a resource based on the resource type. You can also use policies to present resources in the resource type hierarchy in the operators' UI.
Relationship Between Resources and Locations
A resource may or may not have a location. Zero or more resources can have the same location.
By using policies, you can grant access to a resource based on the location of the resource. You can also use policies to present resources in the locations hierarchy in the operators' UI.
Relationship Between Resources and Hunt Group Resources
Hunt groups are logical groups of resources. You can add zero or more resources to a Hunt group resource during configuration.
Relationship Between Resources and Policies
The relationship between resources and policies is established at run time when a user requests authorization to access a resource. Policies examine the attributes of a resource, such as location, or resource type.
Relationship Between Roles
Roles can relate to other roles as parents. A role can be a "child" of another role. When you establish a parent-child relationship between two roles, the child role picks up the following attributes from the parent role:
•
•
•
You can have zero or one parent role. A role may have zero or more "childrens'" roles.
Relationship Between Roles and Policies
You can use policies in roles to enforce rules. A role may have zero or more policies. A policy can refer to zero or more roles.
Relationship Between Resource Types
A resource type:
•
•
•
•
Relationship Between Resource Types and Policies
The relationship between resource types and policies is established both when you specify a resource type in a policy, or when an authorization request is processed. When a user makes an authorization request, a policy examines the specified resource type to control access.
Relationship Between Locations
You must establish a parent-child relationship between locations and define a location hierarchy.
A location:•
•
•
When you define a location to location relationship, the parent locations will appear as trees consisting of branches or "children" locations.
Relationship Between Locations and Policies
A relationship between locations and policies is established when you specify a location in a policy and during an authorization request. When a user makes an authorization request, policies check the specified location attribute of a resource and a user to assist in access control.
Relationship Between Authorization Devices and Resources
An authorization device may have zero or more resources.
Note
You can establish a relationship between an authorization device and a resource when you add the resource to the system. Access to the resource is enforced by the specified authorization device.
