Administrators, Groups, and Roles
The types of functions that network administrators can perform in Cisco Prime IP Express are based on the roles assigned to them. Local and regional administrators can define these roles to provide granularity for the network administration functions. Cisco Prime IP Express predefines a set of base roles that segment the administrative functions. From these base roles you can define further constrained roles that are limited to administering particular addresses, zones, and other network objects.
The mechanism to associate administrators with their roles is to place the administrators in groups that include these roles.
Related Topics
How Administrators Relate to Groups and Roles
How Administrators Relate to Groups and Roles
There are three administrator objects in Cisco Prime IP Express—administrator, group, and role:
- Administrator —An account that logs in and that,
through its association with one or more administrator groups, can perform
certain functions based on its assigned role or roles. At the local cluster,
these functions are administering the local Central Configuration Management
(CCM) server and databases, hosts, zones, address space, and DHCP. At the
regional cluster, these functions administer the regional CCM server and
databases, central configuration, and regional address space. An administrator
must be assigned to at least one group to be effective.
Adding administrators is described in Managing Administrators.
- Group —A grouping of roles. You must associate one
or more groups with an administrator, and a group must be assigned at least one
role to be usable. The predefined groups that Cisco Prime
IP Express provides map each role to a unique group.
Adding groups is described in Managing Groups.
- Role —Defines the network objects that an
administrator can manage and the functions that an administrator can perform. A
set of predefined roles are created at installation, and you can define
additional constrained roles. Some of the roles include subroles that provide
further functional constraints.
Adding roles is described in Managing Roles.
Administrator Types
There are two basic types of administrators: superusers and specialized administrators:
- Superuser —Administrator
with unrestricted access to the web UI, CLI, and all features. This
administrator type should be restricted to a few individuals. The superuser
privileges of an administrator override all its other roles.
Tip
You have to create the superuser and password at installation, or when you first log into the web UI.
- Specialized —Administrator
created by name to fulfill specialized functions, for example, to administer a
specific DNS forward or reverse zone, based on the administrator assigned role
(and subrole, if applicable). Specialized administrators, like the superuser,
require a password, but must also be assigned at least one administrator group
that defines the relevant roles. The CLI provides the
admin command.
For an example of creating a local zone or host administrator, see Create the Administrators.
Roles, Subroles, and Constraints
A license type is associated with each role-subrole combination. A role-subrole is enabled only if that license is available in that cluster.
You can limit an administrator role by applying constraints. For example, you can use the host-admin base role to create a host administrator, named 192.168.50-host-admin, who is constrained to the 192.168.50.0 subnet. The administrator assigned a group that includes this role then logs in with this constraint in effect. Adding roles and subroles is described in Managing Roles.
You can further limit the constraints on roles to read-only access. An administrator can be allowed to read any of the data for that role, but not modify it. However, if the constrained data is also associated with a read-write role, the read-write privilege supersedes the read-only constraints.
Tip |
An example of adding role constraints is in Create a Host Administrator Role with Constraints. |
The interplay between DNS and host administrator role assignments is such that you can combine an unconstrained dns-admin role with any host-admin role in a group. For example, combining the dns-admin-readonly role and a host-admin role in a group (and naming the group host-rw-dns-ro) provides full host access and read-only access to zones and RRs. However, if you assign a constrained dns-admin role along with a host-admin role to a group and then to an administrator, the constrained dns-admin role takes precedence, and the administrator privileges at login will preclude any host administration.
Certain roles provide subroles with which you can further limit the role functionality. For example, the local ccm-admin or regional-admin, with just the owner-region subrole applied, can manage only owners and regions. By default, all the possible subroles apply when you create a constrained role.
The predefined roles are described in Table 1 (local), and Table 2 (regional).
Local Role |
Subroles and Active Functionality |
---|---|
addrblock-admin |
Core functionality: Manage address block, subnets, and reverse DNS zones (also requires dns-admin); and notify of scope activity.
|
ccm-admin |
Core functionality: Manage access control lists (ACLs), and encryption keys.
|
cdns-admin |
Core functionality: Manage in-memory cache (flush cache and flush cache name).
|
cfg-admin |
Core functionality: Manage clusters.
|
dhcp-admin |
Core functionality: Manage DHCP scopes and templates, policies, clients, client-classes, options, leases, and reservations.
|
dns-admin |
Core functionality: Manage DNS zones and templates, resource records, secondary servers, and hosts.
|
host-admin |
Core functionality: Manage DNS hosts. (Note that if an administrator is also assigned a constrained dns-admin role that overrides the host-admin definition, the administrator is not assigned the host-admin role.) |
Regional Role |
Subroles and Active Functionality |
---|---|
central-cfg-admin |
Core functionality: Manage clusters and view replica data.
|
central-dns-admin |
Core functionality: Manage DNS zones and templates, hosts, resource records, and secondary servers; and create subzones and reverse zones.
|
central-host-admin |
Core functionality: Manage DNS hosts. (Note that if an administrator is also assigned a constrained central-dns-admin role that overrides the central-host-admin definition, the administrator is not assigned the central-host-admin role.) |
regional-admin |
Core functionality: Manage licenses and encryption keys.
|
regional-addr-admin |
Core functionality: Manage address blocks, subnets, and address ranges; generate allocation reports; and pull replica address space data.
|
Groups
Administrator groups are the mechanism used to assign roles to administrators. Hence, a group must consist of one or more administrator roles to be usable. When you first install Cisco Prime IP Express, a predefined group is created to correspond to each predefined role.
Roles with the same base role are combined. A group with an unconstrained dhcp-admin role and a constrained dns-admin role, does not change the privileges assigned to the dns-admin role. For example, if one of the roles is assigned unconstrained read-write privileges, the group is assigned unconstrained read-write privileges, even though other roles might be assigned read-only privileges. Therefore, to limit the read-write privileges of a user while allowing read-only access to all data, create a group that includes the unconstrained read-only role along with a constrained read-write role. (See Roles, Subroles, and Constraints for the implementation of host-admin and dns-admin roles combined in a group.)