18-7
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
18






Administering

the

Cisco

Application

Networking

Manager
Controlling
Access

to

Cisco

ANM


Create—Allows
the

user
to

control

system

objects,

for

example,

creating

them,

enabling

them,

or
powering
up.

Also

allows

the

user

to

control

system

objects,

for

example,

deleting

them,

disabling
them,
or

powering

down.
Note
The
Create

privilege

includes

the

functions
associated
with

the

Modify
privilege;
however,
the
reverse

is

not

true

(a

user

with

Modify

privileges

cannot

create

items).
Privileges
are

hierarchical.

If

a

user

has

Modify

privileges,

they

have

View

privileges

as

well.

If

a

user
has
Create

or

Debug

privileges,

they

have

View

privileges

as

well.
Related
Topics


How
ANM

Handles

Role-Based

Access

Control,

page
18-8


Managing
User

Roles,

page
18-25


Guidelines
for

Managing

User

Roles,

page
18-25


Understanding
Predefined

Roles,

page
18-26


Using
an
AAA
Server

for
Remote
User
Authentication
and
Authorization,
page
18-38
Understanding
Domains
Domains
in

ANM

are

defined

by

the

system

administrator.

A

domain

is

a

collection

of

managed

objects
to
which

a

user

is

given

access.

By

setting

up

a

domain,

you

are

filtering

for

a

subset

of

objects

on

the
network.
The

user

is

then

given

access

to

this

virtual

context.
The
table

rows

that

a

user

sees

in

any

table

are

filtered

according

to

the

domain

to

which

that

user

has
access.
Understanding
Organizations
An
organization

allows

you

to

configure

AAA

server

lookup

for

your

users

or

set

up

users

who

work

for
a
service

provider

customer.

Organizations

in

ANM

are

defined

by

the

system

administrator.
When
you

use

an

ACE

device

as

a

AAA

server,

you

may

want

to

segment

them

for

customer,

business,
or
security

reasons.

If

you

use

more

than

one

authentication

server,

then

you

can

use

organizations

to
configure
them

to

authenticate

your

users.
For
example,

if

your

company

has

four

ser

vers,

one

each

for

l

ocal,

RADIUS,

TACACS+,

and

LDAPS
authentication,
then

organizations

could

reflect

that.

The

Default

organization

i

n

ANM

is

set

up

t

o

act
as
the

local

server.
ANM
supports

different

device

types

that

have

unique

ways

of

configuring

authentication

access,

which
helps
with

future

device

support.

ANM

can

configure

which

users

are

authenticated

by

which
authentication
servers,

but

does

not

act

as

an

AAA

server

itself

because

this

would

be

in

conflict

of

its
role
as

a

RBAC

administrator

and

allows

for

the

separation

of

authority

that

is

needed

to

perform

RBAC
successfully.
Related
Topics


Using
an
AAA
Server

for
Remote
User
Authentication
and
Authorization,
page
18-38