Cisco Cisco Firepower Management Center 4000
48-4
FireSIGHT System User Guide
Chapter 48 Managing Users
Understanding Cisco User Authentication
For more information on specific types of external authentication, see the following sections:
•
•
Understanding User Privileges
License:
Any
The FireSIGHT System lets you allocate user privileges based on the user’s role. For example, an analyst
typically needs access to event data to analyze the security of monitored networks, but might never
require access to administrative functions for the FireSIGHT System itself. You can grant analysts
predefined roles such as Security Analyst and Discovery Admin and reserve the Administrator role for
the network administrator managing the FireSIGHT System. You can also create custom user roles with
access privileges tailored to your organization’s needs.
typically needs access to event data to analyze the security of monitored networks, but might never
require access to administrative functions for the FireSIGHT System itself. You can grant analysts
predefined roles such as Security Analyst and Discovery Admin and reserve the Administrator role for
the network administrator managing the FireSIGHT System. You can also create custom user roles with
access privileges tailored to your organization’s needs.
In the system policy on the Defense Center, you set a default access role for all users who are externally
authenticated. After an externally authenticated user logs in for the first time, you can add or remove
access rights for that user on the User Management page. If you do not modify the user’s rights, the user
has only the rights granted by default. Because you create internally authenticated users manually, you
set the access rights when you create them.
authenticated. After an externally authenticated user logs in for the first time, you can add or remove
access rights for that user on the User Management page. If you do not modify the user’s rights, the user
has only the rights granted by default. Because you create internally authenticated users manually, you
set the access rights when you create them.
If you configured management of access rights through LDAP groups, the access rights for users are
based on their membership in LDAP groups. They receive the default access rights for the group that
they belong to that has the highest level of access. If they do not belong to any groups and you have
configured group access, they receive the default user access rights configured in the authentication
object for the LDAP server. If you configure group access, those settings override the default access
setting in the system policy.
based on their membership in LDAP groups. They receive the default access rights for the group that
they belong to that has the highest level of access. If they do not belong to any groups and you have
configured group access, they receive the default user access rights configured in the authentication
object for the LDAP server. If you configure group access, those settings override the default access
setting in the system policy.
Similarly, if you assign a user to specific user role lists in a RADIUS authentication object, the user
receives all assigned roles, unless one or more of those roles are mutually incompatible. If a user is on
the lists for two mutually incompatible roles, the user receives the role that has the highest level of
access. If the user does not belong to any lists and you have configured a default access role in the
authentication object, the user receives that role. If you configure default access in the authentication
object, those settings override the default access setting in the system policy.
receives all assigned roles, unless one or more of those roles are mutually incompatible. If a user is on
the lists for two mutually incompatible roles, the user receives the role that has the highest level of
access. If the user does not belong to any lists and you have configured a default access role in the
authentication object, the user receives that role. If you configure default access in the authentication
object, those settings override the default access setting in the system policy.
The FireSIGHT System supports the following predefined user roles, listed in order of precedence,
depending on the features you have licensed:
depending on the features you have licensed:
•
Access Admins can view and modify access control and file policies, but cannot apply their policy
changes.
changes.
•
Administrators can set up the appliance’s network configuration, manage user accounts and
Collective Security Intelligence Cloud connections, and configure system policies and system
settings. Users with the Administrator role have all rights and privileges of all other roles (with the
exception of lesser, restricted versions of those privileges).
Collective Security Intelligence Cloud connections, and configure system policies and system
settings. Users with the Administrator role have all rights and privileges of all other roles (with the
exception of lesser, restricted versions of those privileges).
•
Discovery Admins can review, modify and delete network discovery policies, but cannot apply their
policy changes.
policy changes.
•
External Database users can query the FireSIGHT System database using an external application
that supports JDBC SSL connections. On the web interface, they can access the online help and user
preferences.
that supports JDBC SSL connections. On the web interface, they can access the online help and user
preferences.
•
Intrusion Admins can review, modify, and delete intrusion policies and intrusion rules.