18-4
User
Guide
for
the
Cisco
Application
Networking
Manager
5.2
OL-26572-01
Chapte
r
18
Administering
the
Cisco
Application
Networking
Manager
Controlling
Access
to
Cisco
ANM
When
a
user
logs
into
the
system,
the
specific
tasks
they
can
perform
and
areas
of
the
system
that
they
can
use
are
controlled
by
organizations
,
ro
l
e
s
,
and
domains
.
An
organization
is
a
virtual
group
of
users,
their
roles,
and
domains
managed
by
a
specific
server
that
provides
authentication
to
its
users.
Each
organization
has
its
own
set
of
users.
See
the
“Understanding
Organizations”
section
on
page
18-7
for
information
about
organizations.
The
role
assigned
to
a
user
defines
the
tasks
that
a
user
can
perform
and
the
items
in
the
hierarchy
that
they
can
see.
Roles
are
either
pre-defined
or
set
up
by
the
system
administrator.
See
the
“Understanding
Roles”
section
on
page
18-6
for
more
information.
A
domain
is
a
collection
of
managed
objects.
When
a
user
is
given
access
to
a
domain,
it
acts
as
a
filter
for
a
sub-set
of
objects
on
the
network
which
are
displayed
as
a
virtual
context.
The
types
of
objects
in
the
system
that
are
domain
controlled
are
as
follows:
•
Chassis
(with
VLANs)
•
Virtual
contexts
•
Resource
cl
asses
•
Real
servers
•
Vi
r
t
u
a
l
s
e
r
v
e
r
s
Thus,
role-based
access
control
ensures
that
a
user
or
organization
can
view
only
the
devices
or
services
or
perform
the
actions
that
are
included
in
the
domains
to
which
they
have
been
given
access
(see
Figure
18-1
).
Figure
18-1
Role-Based
Access
Control
Containment
Overview
Default
Organization
System
Objects
AAA
Setup
Roles
1
to
1
Users
Ta
s
k
s
Network
Objects
All
associations
are
one
to
many,
reading
from
topto
bottom
(unless
noted
otherwise)
Objects
contained
within
an
organization
Domains
Organization
used
by
ser
vice
providers
to
resell
management
