Table Of Contents
Setting Up the QPM Server
User Permissions for QPM
CiscoWorks User Permissions
ACS User Permissions
Working with ACS Device Groups and User Permissions
Setup for Working with ACS Device Groups and User Permissions
Updating QPM 3.0.x User Permissions in ACS
Setting Up the QPM Server
This chapter contains the following topics:
•
User Permissions for QPM
•CiscoWorks User Permissions
•ACS User Permissions
•Working with ACS Device Groups and User Permissions
User Permissions for QPM
CiscoWorks Common Services provides management of QPM user roles and privileges. QPM can work with either Cisco Secure Access Control Server (ACS) permissions or CiscoWorks permissions.
QPM permissions for authentication and authorization are mapped to CiscoWorks permission roles or ACS permission roles, as specified.
Note To use ACS authentication and authorization, ACS must be installed on the network.
Before you begin to work with QPM, you should ensure that you have the appropriate permissions. ACS and CiscoWorks permissions in QPM rely on the usergroup or username, the command set or privileges associated with the usergroup or username, and the device or device group for which privileges are requested.
If your username or usergroup is not authorized for certain QPM actions, the related menu items, TOC items, and buttons will be hidden or disabled.
CiscoWorks User Permissions
QPM uses a separate set of permissions for each type of task.
Table 3-1 shows how QPM permissions are mapped to CiscoWorks roles.
Table 3-1 QPM Permissions Mapped to CiscoWorks Roles
QPM Permissions
|
CiscoWorks Roles
|
System Admin
|
Network Admin
|
Network Operator
|
Approver
|
Help Desk
|
Device Inventory Tasks
|
View
|
X
|
X
|
X
|
X
|
X
|
Modify
|
X
|
X
|
X
|
X
|
|
Policy Configuration Tasks
|
View
|
X
|
X
|
X
|
X
|
X
|
Modify
|
|
X
|
X
|
X
|
|
Deployment Tasks
|
View
|
X
|
X
|
X
|
X
|
X
|
Deploy
|
|
X
|
|
|
|
Delete jobs and logs
|
X
|
|
|
|
|
Reports Tasks
|
View
|
X
|
X
|
X
|
X
|
X
|
Delete
|
X
|
|
|
|
|
Run Real Time Analysis Tasks
|
X
|
X
|
X
|
X
|
X
|
Create Analysis Tasks
|
|
X
|
X
|
X
|
|
Admin Tasks
|
View Audit logs
|
X
|
X
|
X
|
X
|
X
|
Delete Audit logs
|
X
|
|
|
|
|
Backup/Retrieve Backup
|
X
|
|
|
|
|
Note To view the QPM tasks allowed for each CiscoWorks role in QPM, select Admin > User Permissions Report.
CiscoWorks roles have the following permissions in QPM:
•System Admin
–View information in QPM
–Make changes to devices in the QPM device inventory
–Run monitoring tasks
–Delete any QPM logs and reports
–Create and retrieve backups of the QPM database
System admin is the only user role that can delete logs, jobs, and reports in QPM.
•Network Admin
–View information in QPM
–Make changes to devices in the QPM device inventory
–Create and edit policies
–Deploy policies to devices
–Create and run monitoring tasks
Network admin is the only user role that can deploy the QoS configurations to the devices on the network.
•Network Operator
–View information in QPM
–Make changes to devices in the QPM device inventory
–Create and edit policies
–Create and run monitoring tasks
•Approver
–View information in QPM
–Make changes to devices in the QPM device inventory
–Create and edit policies
–Create and run monitoring tasks
•Help Desk — Allows you to only view information in QPM
You can add your username for CiscoWorks authentication in the CiscoWorks desktop.
Step 1 In the CiscoWorks desktop, select Server Configuration > Setup > Security > Add Users.
Step 2 Enter your username and password.
Step 3 Select the CiscoWorks user role for the user. Click Add.
See User Guide for CiscoWorks Common Services 2.2 for more information about setting CiscoWorks usernames and permissions.
CiscoWorks permissions cannot be customized. However, you can create a user who has the permissions of more than one CiscoWorks role, for example, System Admin and Approver.
Tip You can create a super-user (permissions for everything) by giving both system administrator and network administrator roles to a user.
ACS User Permissions
When you configure CiscoWorks Common Services to use ACS authorization and authentication, QPM adds permissions in ACS.
Table 3-2 shows the default mapping of QPM permissions to ACS roles. This is the same as for the CiscoWorks roles, but when using ACS authorization and authentication you can modify the default roles.
Table 3-2 QPM Permissions Mapped to ACS Roles
QPM Permissions
|
ACS Roles
|
System Admin
|
Network Admin
|
Network Operator
|
Approver
|
Help Desk
|
Device Inventory Tasks
|
View
|
X
|
X
|
X
|
X
|
X
|
Modify
|
X
|
X
|
X
|
X
|
|
Policy Configuration Tasks
|
View
|
X
|
X
|
X
|
X
|
X
|
Modify
|
|
X
|
X
|
X
|
|
Deployment Tasks
|
View
|
X
|
X
|
X
|
X
|
X
|
Deploy
|
|
X
|
|
|
|
Delete jobs and logs
|
X
|
|
|
|
|
Reports Tasks
|
View
|
X
|
X
|
X
|
X
|
X
|
Delete
|
X
|
|
|
|
|
Run Real Time Analysis Tasks
|
X
|
X
|
X
|
X
|
X
|
Create Analysis Tasks
|
|
X
|
X
|
X
|
|
Admin Tasks
|
View Audit logs
|
X
|
X
|
X
|
X
|
X
|
Delete Audit logs
|
X
|
|
|
|
|
Backup/Retrieve Backup
|
X
|
|
|
|
|
To modify global components, such as library components, global device settings, and so on, you must have appropriate permissions for the device group that contains the CiscoWorks Common Services server.
ACS roles have the following default permissions in QPM:
•System Admin
–View information in QPM
–Make changes to devices in the QPM device inventory
–Run monitoring tasks
–Delete any QPM logs and reports
–Create and retrieve backups of the QPM database
System admin is the only user role that can delete logs, jobs, and reports in QPM.
•Network Admin
–View information in QPM
–Make changes to devices in the QPM device inventory
–Create and edit policies
–Deploy policies to devices
–Create and run monitoring tasks
Network admin is the only user role that can deploy the QoS configurations to the devices on the network.
•Network Operator
–View information in QPM
–Make changes to devices in the QPM device inventory
–Create and edit policies
–Create and run monitoring tasks
•Approver
–View information in QPM
–Make changes to devices in the QPM device inventory
–Create and edit policies
–Create and run monitoring tasks
•Help Desk — Allows you to only view information in QPM
If you intend to work with ACS device groups and user permissions, you must perform the setup configuration described in Working with ACS Device Groups and User Permissions.
ACS allows you to modify the default permission roles. For details about modifying permissions in ACS, see the ACS online help.
After you change the permission roles, you must restart the ACS server. If QPM is open, log out and log in again to QPM to reflect the changes.
Working with ACS Device Groups and User Permissions
The following topics describe how to configure CiscoWorks Common Services to use ACS authorization and authentication on a new QPM installation, and after upgrading from QPM 3.x.
•Setup for Working with ACS Device Groups and User Permissions
•Updating QPM 3.0.x User Permissions in ACS
Setup for Working with ACS Device Groups and User Permissions
If you want to use ACS device groups and permissions for QPM, ACS must be installed on the network.
To work with ACS device groups and user permissions, you must register the QPM server with ACS and configure CiscoWorks Common Services to use ACS authorization and authentication.
Step
|
Task
|
Procedure
|
Step 1
|
Define the QPM server in ACS.
|
1. In ACS, select Network Configuration.
2. Add the QPM server to a device group, or add it as an individual device, depending on the ACS setup.
3. Enter the ACS shared key in the Key field.
|
Step 2
|
Define the Login Module in CiscoWorks as TACACS+.
|
1. In the CiscoWorks desktop, select Server Configuration > Setup > Security > Select Login Module.
2. Select TACACS+, if it is not already selected. Click Next.
3. Enter the ACS server name. You do not need to enter a key.
4. Click Finish.
|
Step 3
|
Synchronize CiscoWorks Common Services with the ACS server configuration.
|
1. In the CiscoWorks desktop, select
VPN/Security Management Solution > Administration > Configuration > AAA Server.
2. In the AAA Server Information dialog box, click Synchronize.
3. Add Login details. Enter the ACS shared key that you defined for QPM server in ACS.
4. Click Register.
5. Select qpm, and click the Add button, to add the QPM permission roles in ACS. Click OK.
6. Click Finish.
|
Step 4
|
Define usernames, device groups and user groups in ACS.
|
1. In ACS, select User Setup to define usernames.
2. Select Group Setup to define permissions for device groups.
You can define permissions for all network device groups, or per device group. This means that roles can be defined for all devices, or per network device group.
|
To change the authorization and authentication mode back to CiscoWorks permissions, you must configure CiscoWorks Common Services to use local authorization and authentication.
For details of this procedure, see the user guide or online help for CiscoWorks Common Services.
For more information about configuring ACS authorization authentication, see the user guide or online help for CiscoWorks Common Services.
Updating QPM 3.0.x User Permissions in ACS
If you are upgrading from QPM 3.0.x on the same QPM server, and you worked with ACS device groups and user permissions, you must update ACS with the new QPM user permissions.
Note If you are upgrading to a different server from QPM 3.0.x, follow the procedure in Setup for Working with ACS Device Groups and User Permissions.
Step
|
Task
|
Procedure
|
Step 1
|
Remove the old QPM permission roles from the ACS server.
|
1. In the ACS server select Shared Profile
Components > CiscoWorks QPM.
2. Select each QPM user role and delete.
|
Step 2
|
Unregister the old QPM permission roles in CiscoWorks.
|
1. In the CiscoWorks desktop, login with username admin and password admin.
2. Select VPN/Security Management Solution > Administration > Configuration > AAA Server.
3. In the AAA Server Information dialog box, click Unregister.
4. Log out of the CiscoWorks desktop.
|
Step 3
|
Add the new QPM permission roles to ACS
|
1. Log into CiscoWorks with username admin and password admin.
2. Select VPN/Security Management Solution > Administration > Configuration > AAA Server.
3. In the AAA Server Information dialog box, click Synchronize.
4. Add Login details. Enter the ACS shared key that you defined for QPM server in ACS.
5. Click Register.
6. Select qpm, and click the Add button, to add the QPM permission roles in ACS. Click OK.
7. Click Finish.
8. Log out of CiscoWorks.
|
Step 4
|
Define usernames, device groups and user groups in ACS.
|
1. In ACS, select User Setup to define usernames.
2. Select Group Setup to define permissions for device groups.
You can define permissions for all network device groups, or per device group. This means that roles can be defined for all devices, or per network device group.
|
