18-8
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
18






Administering

the

Cisco

Application

Networking

Manager
How
ANM

Handles

Role-Based

Access

Control
How
ANM

Handles

Role-Based

Access

Control
This
section

describes

how

and

why

a

system

administrator

might

want

to

use

the

ANM

RBAC

features.
ANM
supports

two

distinct,

but

related

RBAC

capabilities

as

follows:


ANM
RBAC—ANM

acts

as

a

system

and

network

device
overseer
allowing

it

to

globally

implement
its
use

of

RBAC.


Device
RBAC—ANM

devices
enforce
RBAC.
Understanding
ANM

RBAC
ANM
is

a

central

place

where

you

can

globally

set

the

RBAC

for

users,

roles,

and

domains

(as

well

as
for
virtual

contexts

or

device

types

using

device

RBAC).
As
a

system

administrator,

you

may

need

to

delegate

authority

to

allow

another

administrator

to

perform
specific
tasks

on

specific

devices,

such

as

activating,

suspending,

and

monitoring

traffic

flow

to

specific
real
servers,

yet

restrict

them

from

accessing

all

other

capabilities.

ANM

enables

you

to

accomplish

this
delegation
with

more

control.

For

a

description

of

how

the

roles

map

to

the

functions,

see

“Displaying
User
Roles

and

Associated

Tasks

and

ANM

Menu

Privileges”

section

on

page

18-28 .
Understanding
Device

RBAC
ANM’s
device

RBAC

allows

you

to

set

up

device

permission

levels

of

a

more

granular

nature.

You

no
longer
have

to

provide

“all-or-nothing”

rol

es-based

access

of

devices

and

device

modules.

Without
ANM,
some

devices

may

be

open

to

users

who

can

perform

every

task

on

that

device

or

module,
regardless
of

their

authorization

due

to

permission

level

requirements

on

modules

and

or

switches.

ANM
provides
a

central

place

to

grant

special

access

to

users

you

specify.

Device

users,

roles,

and

domain

data
are
not

part

of,


nor

can

t

hey

be

used

by

ANM.

Device

RBAC

is

only

for

CLI

access

di

rectly

t

o

the
context.
For
example,

some

users

may

need

level

3

access

when

direct

troubleshooting

of

ACE

hardware

is
required.
You

can

set

up

these

users

with

or

without

ANM,

but

ANM

centralizes

the

capability

to

do

so.
If
you

want

to

configure

a

network

engineer

with

a

special

role,

for

example

either

ACE-Admin

or
Network-Admin,
to

provide

the

level

3

access.

ANM

accesses

the

ACE

as

a

level

15

user

and

an

admin
supervisor
and

uses

the

RBAC

to

determine

the

l

evel

of

access

(t

o

device

types,

segments,

el

ements,
subelements,
and

so

on)

.
Some
Ci

sco

devices

have

the

ability

t

o

configure

RBAC

directly

on

the

device,

for

example

t

he

ACE.
The
CSS

and

CSM

ar

e

examples

of


Cisco

devices

that

do

not


have

the

capability

to

have

its

their

own
RBAC.
When
you

configure

remote

authentication

(AAA,

RADIUS,

LDAPS,

or

TACACs+)

for

the

ACE
through
ANM,

users

no

longer

have

to

log

out

to

access

their

device

using

Telnet.

When

you

manually
log
into

a

CSS,

t

he

CSS

performs

user

authentication

in

a

Telnet

session.

Telnet

does

not

provide

any
domain
enforcement,

so

it

i

s

less

secure.

For

an

overview

of

the

st

eps

that

you

perform

to

configure
remote
au

thentication

using

an


AAA

server,

see

t

he

“Using

an

AAA

Server

for

Remote

User
Authentication
and

Authorization”

section

on

page

18-38 .
If
you

are

an

admin

using

a

CSS

module

outside

of

the

ANM

application,

then

you

might

have
permission
to

do

anything

on

this

switch.

If

you

are

using

ANM,

you

can

set

up

better

authorization

for
your
administrators

for

specific

devices.

Better

authorization

controls

are

one

of

the

advantages

of

using
the
ANM

rather

than

using

only

the

CLI

on

the

ACE

hardware.

You

can

now

configure

separate

access
for
one

function

for

this

user

in

this

domain

only.

ANM

allows

this

high

level

of

granularity

and

with

it,
more
control

over

who

does

what

t

o

your

devices.