Administrators, Groups, Roles, and Tenants
The types of functions that network administrators can perform in Cisco Prime Network Registrar are based on the roles assigned to them. Local and regional administrators can define these roles to provide granularity for the network administration functions. Cisco Prime Network Registrar predefines a set of base roles that segment the administrative functions. From these base roles you can define further constrained roles that are limited to administering particular addresses, zones, and other network objects.
The mechanism to associate administrators with their roles is to place the administrators in groups that include these roles.
The data and configuration that can be viewed by an administrator can also be restricted by tenant. When an administrator is assigned a tenant tag, access is further restricted to configuration objects that are assigned to the tenant or made available for tenant use as read-only core configuration objects.
How Administrators Relate to Groups, Roles, and Tenants
There are four administrator objects in Cisco Prime Network Registrar—administrator, group, role, and tenant:
- Administrator —An account that logs in and that,
through its association with one or more administrator groups, can perform
certain functions based on its assigned role or roles. At the local cluster,
these functions are administering the local Central Configuration Management
(CCM) server and databases, hosts, zones, address space, and DHCP. At the
regional cluster, these functions administer the regional CCM server and
databases, central configuration, and regional address space. An administrator
must be assigned to at least one group to be effective.
Adding administrators is described in Managing Administrators.
- Group —A grouping of roles. You must associate one
or more groups with an administrator, and a group must be assigned at least one
role to be usable. The predefined groups that Cisco Prime
Network Registrar provides map each role to a unique group.
Adding groups is described in Managing Groups.
- Role —Defines the network objects that an
administrator can manage and the functions that an administrator can perform. A
set of predefined roles are created at installation, and you can define
additional constrained roles. Some of the roles include subroles that provide
further functional constraints.
Adding roles is described in Managing Roles.
- Tenant —Identifies a tenant organization or group
that is associated with a set of administrators. When you create tenants, the
data stored on both regional and local clusters is segmented by tenant. A
tenant cannot access the data of another tenant.
Adding tenants is described in Managing Tenants.
Administrator Types
There are two basic types of administrators: superusers and specialized administrators:
- Superuser —Administrator
with unrestricted access to the web UI, CLI, and all features. This
administrator type should be restricted to a few individuals. The superuser
privileges of an administrator override all its other roles.
Tip
You have to create the superuser and password at installation, or when you first log in to the web UI.
When a superuser is assigned a tenant tag, unrestricted access is only granted for corresponding tenant data. Data of other tenants cannot be viewed, and core objects are restricted to read-only access.
- Specialized —Administrator
created by name to fulfill specialized functions, for example, to administer a
specific DNS forward or reverse zone, based on the administrator assigned role
(and subrole, if applicable). Specialized administrators, like the superuser,
require a password, but must also be assigned at least one administrator group
that defines the relevant roles. The CLI provides the
admin command.
For an example of creating a local zone or host administrator, see Create the Administrators.
A specialized user that is assigned a tenant tag can only access corresponding tenant or core data that also matches the relevant roles. Core data is further restricted to read-only access.
Roles, Subroles, and Constraints
A license type is associated with each role-subrole combination. A role-subrole is enabled only if that license is available in that cluster.
You can limit an administrator role by applying constraints. For example, you can use the host-admin base role to create a host administrator, named 192.168.50-host-admin, who is constrained to the 192.168.50.0 subnet. The administrator assigned a group that includes this role then logs in with this constraint in effect. Adding roles and subroles is described in Managing Roles.
You can further limit the constraints on roles to read-only access. An administrator can be allowed to read any of the data for that role, but not modify it. However, if the constrained data is also associated with a read-write role, the read-write privilege supersedes the read-only constraints.
Tip |
An example of adding role constraints is in Create a Host Administrator Role with Constraints. |
The interplay between DNS and host administrator role assignments is such that you can combine an unconstrained dns-admin role with any host-admin role in a group. For example, combining the dns-admin-readonly role and a host-admin role in a group (and naming the group host-rw-dns-ro) provides full host access and read-only access to zones and RRs. However, if you assign a constrained dns-admin role along with a host-admin role to a group and then to an administrator, the constrained dns-admin role takes precedence, and the administrator privileges at login will preclude any host administration.
Certain roles provide subroles with which you can further limit the role functionality. For example, the local ccm-admin or regional-admin, with just the owner-region subrole applied, can manage only owners and regions. By default, all the possible subroles apply when you create a constrained role.
The predefined roles are described in Table 1 (local), and Table 2 (regional).
Local Role |
Subroles and Active Functionality |
---|---|
addrblock-admin |
Core functionality: Manage address block, subnets, and reverse DNS zones (also requires dns-admin); and notify of scope activity.
|
ccm-admin |
Core functionality: Manage access control lists (ACLs), and encryption keys.
|
cdns-admin |
Core functionality: Manage in-memory cache (flush cache and flush cache name).
|
cfg-admin |
Core functionality: Manage clusters.
|
dhcp-admin |
Core functionality: Manage DHCP scopes and templates, policies, clients, client-classes, options, leases, and reservations.
|
dns-admin |
Core functionality: Manage DNS zones and templates, resource records, secondary servers, and hosts.
|
host-admin |
Core functionality: Manage DNS hosts. (Note that if an administrator is also assigned a constrained dns-admin role that overrides the host-admin definition, the administrator is not assigned the host-admin role.) |
Regional Role |
Subroles and Active Functionality |
---|---|
central-cfg-admin |
Core functionality: Manage clusters and view replica data.
|
central-dns-admin |
Core functionality: Manage DNS zones and templates, hosts, resource records, and secondary servers; and create subzones and reverse zones.
|
central-host-admin |
Core functionality: Manage DNS hosts. (Note that if an administrator is also assigned a constrained central-dns-admin role that overrides the central-host-admin definition, the administrator is not assigned the central-host-admin role.) |
regional-admin |
Core functionality: Manage licenses and encryption keys.
|
regional-addr-admin |
Core functionality: Manage address blocks, subnets, and address ranges; generate allocation reports; and pull replica address space data.
|
Groups
Administrator groups are the mechanism used to assign roles to administrators. Hence, a group must consist of one or more administrator roles to be usable. When you first install Cisco Prime Network Registrar, a predefined group is created to correspond to each predefined role.
Roles with the same base role are combined. A group with an unconstrained dhcp-admin role and a constrained dns-admin role, does not change the privileges assigned to the dns-admin role. For example, if one of the roles is assigned unconstrained read-write privileges, the group is assigned unconstrained read-write privileges, even though other roles might be assigned read-only privileges. Therefore, to limit the read-write privileges of a user while allowing read-only access to all data, create a group that includes the unconstrained read-only role along with a constrained read-write role. (See Roles, Subroles, and Constraints for the implementation of host-admin and dns-admin roles combined in a group.)