User Administration

Different types of users can be configured in the AIP-SSM with different roles associated to them. This section covers the AIP-SSM user administration.

User Account Roles and Levels

Each AIP-SSM user account has a role associated to it. There are a total of four roles that can be assigned to a specific account:

Administrator Account

The administrator account has the highest privilege level. Users with this role are able to do the following:

Operator Account

The operator account has the second highest privilege level. These users can view the configuration and statistics. They can also perform some administrative tasks such as modifying their own passwords, tuning signatures, and configuring shunning.

Viewer Account

Users with viewer privileges can view events and some configuration files. They can also change their own passwords.

IPS monitoring applications only require viewer access to perform their monitoring operations. However, if the application is used to perform administrative tasks, a higher privilege account is needed.

Note

The viewer account has the lowest of the privilege levels.

 

Service Account

The service account does not have direct access to the AIP-SSM CLI. It has access to a bash shell, which enables it to perform specific administrative tasks on the AIP-SSM. This account is not enabled by default.

Note

Only one service account can be configured in the AIP-SSM and any other device running CIPS software. The service account should be created only at the request of the Cisco Technical Assistance Center (TAC).

 

Adding and Deleting Users by Using the CLI

This section guides you on how to create and delete users on the AIP-SSM. It also shows you how to assign different privilege levels to the users depending on their role.

Creating Users

You can add users on the AIP-SSM by using the username command. The following is the command syntax:

username name [password password] [privilege privilege]

Example 14-5 demonstrates how to create the service account, called service with a password of cisco12345.

Example 14-5. Creating the Service Account

ChicagoSSM# configure terminal ChicagoSSM(config)# username service password cisco12345 privilege service ChicagoSSM(config)# exit

Example 14-6 demonstrates how two accounts are created and assigned operator and viewer roles, respectively.

Example 14-6. Creating Other Accounts

ChicagoSSM# configure terminal ChicagoSSM(config)# username opuser password cisco12345 privilege operator ChicagoSSM(config)# username viewuser password cisco12345 privilege viewer

A user called opuser is created and assigned operator role privileges, and a user called viewuser is created and assigned viewer privileges.

Note

Usernames must begin with an alphanumeric character and can be 1 to 64 characters in length. The minimum password length is 6 characters, and passwords can be up to 32 characters in length. All characters except spaces and ? are allowed to be used in passwords.

 

Deleting Users

To delete users in the AIP-SSM, use the no username username command. Example 14-7 demonstrates how the opuser is deleted from the AIP-SSM.

Example 14-7. Deleting a User

ChicagoSSM# configure terminal ChicagoSSM(config)# no username opuser

 

Changing Passwords

You can change your own or other user passwords by using the password command. To change the password for another user, you must be logged in using an account with administrator privileges. Example 14-8 demonstrates how the AIP-SSM administrator changes the password for user viewuser.

Example 14-8. Changing viewuser's Password

ChicagoSSM# configure terminal ChicagoSSM(config)# password viewuser Enter New Login Password: ****** Re-enter New Login Password: ******

Example 14-9 demonstrates how you can change your own password by just invoking the password command from configuration mode.

Example 14-9. Changing Your Own Password

ChicagoSSM# configure terminal ChicagoSSM(config)# password Enter New Login Password: ****** Re-enter New Login Password: ******

Категории