Documentation - V-271927

Title

The Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users.

Description

<VulnDiscussion>Successful identification and authentication must not automatically give an entity full access to a Cisco ACI or security domain. The lack of authorization-based access control could result in the immediate compromise of, and unauthorized access to, sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. There are multiple ways to provide this function so the site s...

Fix Text (Documentation Requirement)

View the SSP to determine the required organization-defined roles and the least privilege policies required for each role. For example, audit administrator, crypto administrator, system administrator, etc. Assign remote users to roles based on SSP and least privileges. Carefully assign capabilities to each role based on SSP role assignments. Remote authentication server is required, but roles can be created, deleted, or associated access privileges to nodes and resources update in the APIC. To create a new role with reduced permissions, do the following: To create or modify roles: 1. From the GUI, navigate to Admin >> AAA >> Security >> Roles. 2. Create custom roles with appropriate privileges (e.g., read-write access to specific objects). 3. Associate users with these roles, allowing the...