CSA MC Role-Based Access Control

 < Day Day Up > 

The CSA MC server automatically employs role-based access control (RBAC) through the VMS user management policy. Every user who wants to use the CSA MC component must first log in to the VMS server with a username and password. Users are granted certain rights to the CSA MC through inheritance from the VMS user database. The CSA MC server has additional administrator controls beyond the basic inherited VMS rights, which you learn about in the next sections.

Inherited VMS Administrative Rights

Rights inherited by the CSA MC from VMS are directly related to the VMS administrative rights. To configure a new VMS administrator user ID, you need to open the Server Configuration drawer in the VMS application. From there, choose Setup > Security. You should see several options related to authentication and user configuration, as follows:

  • Select Login Module This option enables you to select how users who log in to the VMS application are authenticated. Modules include the following:

    • Local CiscoWorks User Database

    • Local NT System

    • MS Active Directory

    • Netscape Directory

    • IBM SecureWay Directory

    • KerberosLogin

    • RADIUS

    • TACACS+

    The default is to use the local CiscoWorks user database.

  • Permissions Report This link provides a matrix illustrating the rights each type of VMS user has per application.

  • Who Is Logged On This link provides a view of all VMS users and whether they are currently online or offline. This also displays the roles the user has assigned and, if online, the IP address and date/time of authentication. You can also broadcast a message to all online users if necessary.

  • Modify My Profile This enables users to edit their account on the VMS server.

  • Add Users This is where you would create a new user account to access the VMS server and, in turn, the CSA MC. Figure 14-8 shows an example.

    Figure 14-8. Add CiscoWorks VMS User Page


  • Modify/Delete Users After a user has been created, you can change the assigned roles and other parameters from this page.

To effectively add a user with the correct inherited rights, you must understand how the various roles map into CSA MC administrative roles. Here are the CSA MC administrative roles:

  • Configure This type is inherited from network or system administrator VMS roles and has full read and write access to the CSA MC database.

  • Deploy This type is inherited from the network operator VMS role. This CSA MC administrator has full read and partial write access to the CSA MC database. They can manage groups, manage hosts, create new agent kits, schedule software updates for agents, attach policies to groups, and monitor CSA events.

  • Monitor If the user is not part of either of the above roles but has a valid VMS login account, the user can only view the database but not make changes. These users can also create event sets for use in reports and alerts, which they can also create without impacting agent configuration or software.

CSA MC Administrative Control

Beyond the administrative rights mapping provided by the CiscoWorks VMS server, the CSA MC can further control the access an administrator has to certain objects.

NOTE

You must have configure rights on the CSA MC to edit the Admin Access Control parameters.


To configure restricted access to an administrator account, follow these steps and refer to Figure 14-9:

Step 1.

Choose Maintenance > Admin Preferences the CSA MC application.

Step 2.

Choose Admin Access Control to enter the configuration page.

Step 3.

Choose the administrators you want to limit from the multiple-selection box at the top of the configuration page.

Step 4.

Assign the groups you want them to have rights to view.

Step 5.

Click Save.

Figure 14-9. CSA MC Admin Access Control Configuration


NOTE

You can only limit administrators with monitor rights to a limited view by group. You cannot limit any of the other administrative types to only configure portions of the database. When an administrator has write access, the administrator has write access to the entire CSA MC database.


Administrative Preferences

While you are still in the Admin Preferences page, it is a perfect time to see what administrative efficiencies can be gained by setting preferences. CSA MC administrators can simplify their view throughout the MC by setting preferences that will follow their management session. If you are running the enterprise-wide deployment of CSA in your network but have only Linux systems, you would not want to see all Solaris- and Windows-configurable options. The way you limit your view is through administrative preferences.

NOTE

The administrative user ID you are logged in as always displays in the lower-right corner of every CSA MC screen.


You can access the following four predefined preferences:

  • Basic

  • Basic UNIX

  • Basic Windows

  • Advanced

This section looks more closely at the Basic Windows administrative preference to better understand what this configurable item provides you. Choose Basic Windows to see a page similar to Figure 14-10. The following options are available:

  • Name Provide a name for the object

  • Description Insert a descriptive comment

  • Configuration Select the appropriate parameters, as follows:

    • Operating System Select All, Windows, or UNIX to limit your view to only these items.

    • Remember Last Page Visited This option brings you directly to where you left off when you next return to the CSA MC.

    • Always Use Show All Mode This option overrides the hidden items that you configured as Display Only in Show All Mode.

    • Always Show Expanded Configuration Views This option displays any configuration item typically retracted behind a plus sign (+) as fully expanded.

Figure 14-10. Admin Preferences Configuration Page


     < Day Day Up > 


    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net