Cisco Cisco Firepower Management Center 4000
48-21
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
For example, on a Microsoft Active Directory Server, use the
sAMAccountName
shell access attribute to
retrieve shell access users by typing
sAMAccountName
in the
Shell Access Attribute
field.
Step 12
For the next step, you have two choices:
•
If you want to configure user default roles based on LDAP group membership, continue with
.
•
If you are not using LDAP groups for authentication, continue with
.
Configuring Access Settings by Group
License:
Any
If you prefer to base default access settings on a user’s membership in an LDAP group, you can specify
distinguished names for existing groups on your LDAP server for each of the access roles used by your
FireSIGHT System. When you do so, you can configure a default access setting for those users detected
by LDAP that do not belong to any specified groups. When a user logs in, the FireSIGHT System
dynamically checks the LDAP server and assigns default access rights according to the user’s current
group membership.
distinguished names for existing groups on your LDAP server for each of the access roles used by your
FireSIGHT System. When you do so, you can configure a default access setting for those users detected
by LDAP that do not belong to any specified groups. When a user logs in, the FireSIGHT System
dynamically checks the LDAP server and assigns default access rights according to the user’s current
group membership.
Any group you reference must exist on the LDAP server. You can reference static LDAP groups or
dynamic LDAP groups. Static LDAP groups are groups where membership is determined by group
object attributes that point to specific users, and dynamic LDAP groups are groups where membership
is determined by creating an LDAP search that retrieves group users based on user object attributes.
Group access settings for a role only affect users who are members of the group.
dynamic LDAP groups. Static LDAP groups are groups where membership is determined by group
object attributes that point to specific users, and dynamic LDAP groups are groups where membership
is determined by creating an LDAP search that retrieves group users based on user object attributes.
Group access settings for a role only affect users who are members of the group.
The access rights granted when a user logs into the FireSIGHT System depend on the LDAP
configuration:
configuration:
•
If no group access settings are configured for your LDAP server, when a new user logs in, the
FireSIGHT System authenticates the user against the LDAP server and then grants user rights based
on the default minimum access role set in the system policy.
FireSIGHT System authenticates the user against the LDAP server and then grants user rights based
on the default minimum access role set in the system policy.
•
If you configure any group settings, new users belonging to specified groups inherit the minimum
access setting for the groups where they are members.
access setting for the groups where they are members.
•
If a new user does not belong to any specified groups, the user is assigned the default minimum
access role specified in the Group Controlled Access Roles section of the authentication object.
access role specified in the Group Controlled Access Roles section of the authentication object.
•
If a user belongs to more than one configured group, the user receives the access role for the group
with the highest access as a minimum access role.
with the highest access as a minimum access role.
You cannot use the FireSIGHT System user management page to remove the minimum access rights for
users assigned an access role because of LDAP group membership. You can, however, assign additional
rights. When you modify the access rights for an externally authenticated user, the Authentication
Method column on the User Management page provides a status of
users assigned an access role because of LDAP group membership. You can, however, assign additional
rights. When you modify the access rights for an externally authenticated user, the Authentication
Method column on the User Management page provides a status of
External - Locally Modified
.
Note
If you use a dynamic group, the LDAP query is used exactly as it is configured on the LDAP server. For
this reason, the FireSIGHT System limits the number of recursions of a search to four to prevent search
syntax errors from causing infinite loops. If a user’s group membership is not established in those
recursions, the default access role defined in the Group Controlled Access Roles section is granted to the
user.
this reason, the FireSIGHT System limits the number of recursions of a search to four to prevent search
syntax errors from causing infinite loops. If a user’s group membership is not established in those
recursions, the default access role defined in the Group Controlled Access Roles section is granted to the
user.