5-57
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
5






Importing

and

Managing

Devices
Configuring
ACE

Module

and

Appliance

Role-Based

Access

Controls


Deleting
Device

User

Roles,

page
5-60
Guidelines
for

Managing

User

Roles
Follow
these

guidelines

to

manage

user

roles:


Administrators
can

view

and

modify

all

roles.


Other
users

can

view

only
the
roles
assigned
to
them.


You
cannot

change

the

default

roles.


Role
permissions
are
different

based

on

whether

they
were

created

in

either

an

Admin

context
or
in
a
user

context.

If

you

want

to

allow

users

t

o

switch

between

contexts,

ensure

that

t

hey

have

a
predefined
role.

If

you

want

to

restrict

a

user

to

only

their

home

context,

assign

them

a

customized
user
role.


Certain
role

features

are

available
only
to

default

roles,

for

example,

an

Admin

role

in

the
Admin
context
would

have

changeto

and

system

permissions

to

perform

tasks

such

as

license

management,
resource
class

management,

HA

setup,

and

so

on.


User-created

roles

cannot

use

these

features.
Related
Topics


Role
Mapping

in
Device
RBAC,

page
5-57


Controlling
Access
to
Cisco
ANM,
page
18-3


Configuring
Device

RBAC

Users,

page
5-53


Configuring
Device

RBAC

Roles,

page
5-56


Configuring
Device

RBAC

Domains,

page
5-61


How
ANM

Handles

Role-Based

Access

Control,

page
18-8
Role
Mapping

in

Device

RBAC
When
you

are

logged

into

a

specific

device

RBAC,

you

see

the

tasks

that

you

have

been

given

permission
to
access.

Features

and

menus

that

are

not

applicable

for

your

role

will

not

display.
Since
the

predefined

roles

encompass

all

the

role

types

you

may

need,

we

encourage

you

to

use

them.

If
you
choose

to

define

your

own

roles,

be

aware

that

rul

es

features

ar

e

not

a

on

e-to-one

mapping

from

a
CLI
feature

to

ANM

menu

task.
Defining
the

proper

rules

for

your

user-defined

role

will

require

you

to

create

a

mapping

between

the
features
in

Device

RBAC

and

the

ANM

menu

tasks.

For

example,

in

order

to

manage

virtual

servers,

you
must
choose

the

following

six

menu

features

(Real

Servers,

Server

Farms,

VIP,

Probes,

Loadbalance,
NAT,
and

Interface)

in

your

role.
Note
Certain
features
in
ANM

do

not

have
a

corresponding

feature

mapping

on

the

CLI.

For

example,

class
maps
and

SNMP

do

not

have

a

corresponding

feature

mapping.

To

modify

these

features,

you

need

to
choose
a

predefined

role

that

a

contains

at

least

one

feature

with

the

Modify

permission

on

it.
Related
Topics


How
ANM

Handles

Role-Based

Access

Control,

page
18-8


Understanding
Roles,

page
18-6