Requirement:I have a custom requirement to create Read/write without the ability to export passwords in Clearpass
Solution:This can be achieved as follows:
We can edit the Admin Privileges under "Administration » Users and Privileges » Admin Privileges".
Configuration:Login to Clearpass and navigate to "Administration » Users and Privileges » Admin Privileges".
Export the default Network Administrator XML.
Open the XML in any XML editor.
The default contents are as below.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Mon Jun 15 09:40:40 IST 2015" version="6.5"/>
<AdminPrivileges>
<AdminPrivilege allowPasswords="true" accessType="FULL" name="Network Administrator" description="A network administrator is allowed to configure all the policies in the system">
<AdminTask taskid="con">
<AdminTaskAction type="RWD"/>
</AdminTask>
<AdminTask taskid="dnd">
<AdminTaskAction type="RWD"/>
</AdminTask>
<AdminTask taskid="mon">
<AdminTaskAction type="RWD"/>
</AdminTask>
</AdminPrivilege>
</AdminPrivileges>
</TipsContents>
We can edit the contents as below and upload the import same file.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Mon Jun 15 09:40:40 IST 2015" version="6.5"/>
<AdminPrivileges>
<AdminPrivilege allowPasswords="false" accessType="FULL" name="Network Administrator custom" description="A network administrator is allowed to configure all the policies in the system">
<AdminTask taskid="con">
<AdminTaskAction type="RWD"/>
</AdminTask>
<AdminTask taskid="dnd">
<AdminTaskAction type="RWD"/>
</AdminTask>
<AdminTask taskid="mon">
<AdminTaskAction type="RWD"/>
</AdminTask>
</AdminPrivilege>
</AdminPrivileges>
</TipsContents>
The only change to the default XML is below :
<AdminPrivilege allowPasswords="false
Now the user logged in with this role will not be able to export passwords of CPPM authentication sources or users.
VerificationLogin via the new role try to export any authentication source or user credentials.
The xml file which is exported will not contain the password.
The attached file can be used to add the required Role.
It will create a new rol;e named " Network Administrator custom"
Attachments:AdminPrivileges.xml