cc/td/doc/solution/sesm/sesm_313
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Predefined Roles and Rules

Predefined Roles and Rules

A set of predefined RBAC roles and rules are installed when the DESS software is installed if the RBAC objects are chosen for installation. You can use the predefined roles and rules as models for the roles and rules that your deployment will use. This appendix explains the predefined roles and rules.

Predefined Roles

The DESS software provides the set of predefined roles described in Table A-1. You can use a predefined role as it exists or use it as a model for creating a similar role with a modified set of privileges.


Table A-1: DESS/AUTH Predefined Roles
Predefined Role Privileges Dynamic Subject
Occupants

ACCOUNT_MANAGER_ROLE

Cisco_Dess_CreateAccount
Cisco_Dess_DeleteAccount
Cisco_Dess_CreateSubAccount
Cisco_Dess_DeleteSubAccount

None

CREATOR_SUPERVISOR_ROLE

This is a superuser role and should not be deleted.

Cisco_Dess_Supervisor
Cisco_Azn_Super

Creator

PARENT_MANAGE_ROLE

Cisco_Dess_Manage

Parent

PUBLISHER_ROLE

Cisco_Dess_CreateService
Cisco_Dess_CreateServiceGroup
Cisco_Dess_DeleteService
Cisco_Dess_Subscribe

None

SELF_MANAGE_ROLE

Cisco_Dess_Manage

Self

SELF_SERVICE_ROLE

Cisco_Dess_Manage_Password
Cisco_Dess_Modify
Cisco_Dess_Read

Self

SUBSCRIBER_ROLE

Cisco_Dess_Subscribe

None

SUPERVISOR_ROLE

Cisco_Azn_Super
Cisco_Dess_Supervisor

None

Predefined Rules

Each predefined role (Table A-1) has a corresponding a predefined rule. Table A-2 lists the predefined rules. For example, the ACCOUNT_MANAGER_ROLE is the affected role in the ACCOUNT_MANAGER_RULE. The predefined rules specify the conditions and the resources for the privileges granted by the corresponding role. For the predefined rules (for example, SUBSCRIBER_RULE) where no resources are specified, the service-provider administrator can update the rule and define resources after the RBAC objects installed.


Table A-2: DESS/AUTH Predefined Rules
Predefined Rule Corresponding Role

ACCOUNT_MANAGER_RULE

ACCOUNT_MANAGER_ROLE

CREATOR_SUPERVISOR_RULE

CREATOR_SUPERVISOR_ROLE

PARENT_MANAGE_RULE

PARENT_MANAGE_ROLE

PUBLISHER_RULE

PUBLISHER_ROLE

SELF_MANAGE_RULE

SELF_MANAGE_ROLE

SELF_SERVICE_RULE

SELF_SERVICE_ROLE

SUBSCRIBER_RULE

SUBSCRIBER_ROLE

SUPERVISOR_RULE

SUPERVISOR_ROLE

Two of the predefined rules have resources defined: SELF_MANAGE_RULE and SUPERVISOR_RULE. In both cases, the resources are defined as the Organizational Unit container (for example, ou=sesm, o=cisco) where the CDAT/DESS objects are created. Therefore, the privileges are for all applicable resources in the sesm Organizational Unit of the cisco Organization. The sesm Organizational Unit and cisco Organization are the default values when the SESM software is installed. The installer can change these values during the DESS software installation.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu Oct 10 12:52:20 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.