Cisco Cisco Firepower Management Center 4000
48-33
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
•
If specific access settings are not configured for a user and a default access role is not selected, when
a new user logs in, the FireSIGHT System authenticates the user against the RADIUS server and
then grants user rights based on the default access role (or roles) set in the system policy.
a new user logs in, the FireSIGHT System authenticates the user against the RADIUS server and
then grants user rights based on the default access role (or roles) set in the system policy.
•
If a new user is not specified on any lists and default access roles are selected in the
Default User Role
list of the authentication object, the user is assigned those access roles.
•
If you add a user to the list for one or more specific role, that user receives all assigned access roles.
You can also use attribute-value pairs, rather than user names, to identify users who should receive a
particular user role. For example, if you know all users who should be Security Analysts have the value
particular user role. For example, if you know all users who should be Security Analysts have the value
Analyst
for their
User-Category
attribute, you can type
User-Category=Analyst
in the Security
Analyst List field to grant that role to those users. Note that you need to define any custom attributes
before you use them to set user role membership. For more information, see
before you use them to set user role membership. For more information, see
You can assign a default user role (or roles) to be assigned to any users that are authenticated externally
but not listed for a specific role. You can select multiple roles on the
but not listed for a specific role. You can select multiple roles on the
Default User Role
list.
For more information on the user roles supported by the FireSIGHT System, see
You cannot remove the minimum access rights for users assigned an access role because of RADIUS
user list membership through the FireSIGHT System user management page. You can, however, assign
additional rights.
user list membership through the FireSIGHT System user management page. You can, however, assign
additional rights.
Caution
If you want to change the minimum access setting for a user, you must not only move the user from one
list to another in the RADIUS Specific Parameters section or change the user’s attribute on the RADIUS
server, you must reapply the system policy, and you must remove the assigned user right on the user
management page.
list to another in the RADIUS Specific Parameters section or change the user’s attribute on the RADIUS
server, you must reapply the system policy, and you must remove the assigned user right on the user
management page.
To base access on user lists:
Access:
Admin
Step 1
In the fields that correspond to FireSIGHT System user roles, type the name of each user or identifying
attribute-value pair that should be assigned to those roles. Separate usernames and attribute-value pairs
with commas.
attribute-value pair that should be assigned to those roles. Separate usernames and attribute-value pairs
with commas.
For example, to grant the Administrator role to the users
jsmith
and
jdoe
, type
jsmith, jdoe
in the
Administrator
field.
As another example, to grant the Maintenance User role to all users with a
User-Category
value of
Maintenance
, type
User-Category=Maintenance
in the
Maintenance User
field.
For more information on user access roles, see
.
Step 2
Select the default minimum access role for users that do not belong to any of the specified groups from
the
the
Default User Role
list.
Tip
Press the Ctrl key while clicking role names to select multiple roles.
Step 3
Continue with
.