Different types of users can be configured in the AIP-SSM with different roles associated to them. This section covers the AIP-SSM user administration.
User Account Roles and Levels
Each AIP-SSM user account has a role associated to it. There are a total of four roles that can be assigned to a specific account:
The administrator account has the highest privilege level. Users with this role are able to do the following:
The operator account has the second highest privilege level. These users can view the configuration and statistics. They can also perform some administrative tasks such as modifying their own passwords, tuning signatures, and configuring shunning.
Users with viewer privileges can view events and some configuration files. They can also change their own passwords.
IPS monitoring applications only require viewer access to perform their monitoring operations. However, if the application is used to perform administrative tasks, a higher privilege account is needed.
The viewer account has the lowest of the privilege levels.
The service account does not have direct access to the AIP-SSM CLI. It has access to a bash shell, which enables it to perform specific administrative tasks on the AIP-SSM. This account is not enabled by default.
Only one service account can be configured in the AIP-SSM and any other device running CIPS software. The service account should be created only at the request of the Cisco Technical Assistance Center (TAC).
Adding and Deleting Users by Using the CLI
This section guides you on how to create and delete users on the AIP-SSM. It also shows you how to assign different privilege levels to the users depending on their role.
You can add users on the AIP-SSM by using the username command. The following is the command syntax:
username name [password password] [privilege privilege]
Example 14-5 demonstrates how to create the service account, called service with a password of cisco12345.
Example 14-5. Creating the Service Account
ChicagoSSM# configure terminal ChicagoSSM(config)# username service password cisco12345 privilege service ChicagoSSM(config)# exit
Example 14-6 demonstrates how two accounts are created and assigned operator and viewer roles, respectively.
Example 14-6. Creating Other Accounts
ChicagoSSM# configure terminal ChicagoSSM(config)# username opuser password cisco12345 privilege operator ChicagoSSM(config)# username viewuser password cisco12345 privilege viewer
A user called opuser is created and assigned operator role privileges, and a user called viewuser is created and assigned viewer privileges.
Usernames must begin with an alphanumeric character and can be 1 to 64 characters in length. The minimum password length is 6 characters, and passwords can be up to 32 characters in length. All characters except spaces and ? are allowed to be used in passwords.
To delete users in the AIP-SSM, use the no username username command. Example 14-7 demonstrates how the opuser is deleted from the AIP-SSM.
Example 14-7. Deleting a User
ChicagoSSM# configure terminal ChicagoSSM(config)# no username opuser
You can change your own or other user passwords by using the password command. To change the password for another user, you must be logged in using an account with administrator privileges. Example 14-8 demonstrates how the AIP-SSM administrator changes the password for user viewuser.
Example 14-8. Changing viewuser's Password
ChicagoSSM# configure terminal ChicagoSSM(config)# password viewuser Enter New Login Password: ****** Re-enter New Login Password: ******
Example 14-9 demonstrates how you can change your own password by just invoking the password command from configuration mode.
Example 14-9. Changing Your Own Password
ChicagoSSM# configure terminal ChicagoSSM(config)# password Enter New Login Password: ****** Re-enter New Login Password: ******