Cisco Systems OL-24201-01 Camera Accessories User Manual


 
16-5
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 16 Managing System Administrators
Understanding Roles
Note At first login, only the Super Admin is assigned to a specific administrator.
Related Topics
Administrator Accounts and Role Association
Creating, Duplicating, Editing, and Deleting Administrator Accounts
Changing Role Associations
By design, all roles in ACS are predefined and cannot be changed. ACS allows you to only change role
associations. Owing to the potential ramifications on the system’s entire authorization status, the ACS
Super Admin and SecurityAdmin roles alone have the privilege to change role associations.
Changes in role associations take effect only after the affected administrators log out and log in again.
At the new login, ACS reads and applies the role association changes.
Note You must be careful in assigning the ACS Super Admin and SecurityAdmin roles because of the global
ramifications of role association changes.
SecurityAdmin This role is required in order to create, update, or delete ACS administrator accounts, to assign
administrative roles, and to change the ACS password policy. This role has the following
permissions:
Read and write permissions on internal protocol users and administrator password policies
Read and write permissions on administrator account settings
Read and write permissions on administrator access settings
SuperAdmin The Super Admin role has complete access to every ACS administrative function. If you do not
need granular access control, this role is most convenient, and this is the role assigned to the
predefined ACSAdmin account.
This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources.
SystemAdmin This role is intended for administrators responsible for ACS system configuration and operations.
This role has the following permissions:
Read and write permissions on all system administration activities except for account
definition
Read and write permissions on ACS instances
UserAdmin This role is intended for administrators who are responsible for adding, updating, or deleting
entries in the internal ACS identity stores, which includes internal users and internal hosts. This
role has the following permissions:
Read and write permissions on users and hosts
Read permission on IDGs
Table 16-1 Predefined Role Descriptions (continued)
Role Privileges