Filter
Top Products
16-4
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 16 Managing System Administrators
Understanding Roles
Permissions
A permission is an access right that applies to a specific administrative task. Permissions consist of:
• A Resource – The list of ACS components that an administrator can access, such as network
resources, or policy elements.
• Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some
privileges cannot apply to a given resource. For example, the user resource cannot be executed.
A resource given to an administrator without any privileges means that the administrator has no access
to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply
to a resource, the read privilege is not available.
If no permission is defined for an object, the administrator cannot access this object, not even for
reading.
Note You cannot make permission changes.
Predefined Roles
Table 16-1 shows the predefined roles included in ACS:
Table 16-1 Predefined Role Descriptions
Role Privileges
ChangeAdminPassword This role is intended for ACS administrators who manage other administrator accounts. This role
entitles the administrator to change the password of other administrators.
ChangeUserPassword This role is intended for ACS administrators who manage internal user accounts. This role
entitles the administrator to change the password of internal users.
NetworkDeviceAdmin This role is intended for ACS administrators who need to manage the ACS network device
repository only, such as adding, updating, or deleting devices. This role has the following
permissions:
• Read and write permissions on network devices
• Read and write permissions on NDGs and all object types in the Network Resources drawer
PolicyAdmin This role is intended for the ACS policy administrator responsible for creating and managing
ACS access services and access policy rules, and the policy elements referenced by the policy
rules. This role has the following permissions:
• Read and write permissions on all the elements used in policies, such as authorization
profile, NDGs, IDGs, conditions, and so on
• Read and write permissions on services policy
ReadOnlyAdmin This role is intended for ACS administrators who need read-only access to all parts of the ACS
user interface.
This role has read-only access to all resources
ReportAdmin This role is intended for administrators who need access to the ACS Monitoring & Report Viewer
to generate and view reports or monitoring data only.
This role has read-only access on logs.