The Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-271927	SRG-APP-000033-NDM-000212	CACI-ND-000012	SV-271927r1168428_rule	2025-12-11	1

Description
Successful identification and authentication must not automatically give an entity full access to a Cisco ACI or security domain. The lack of authorization-based access control could result in the immediate compromise of, and unauthorized access to, sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. There are multiple ways to provide this function so the site should be prepared to demonstrate in the "Users" section that different accounts have different AV pairs, domains, or roles. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000910-NDM-000300

Description

Successful identification and authentication must not automatically give an entity full access to a Cisco ACI or security domain. The lack of authorization-based access control could result in the immediate compromise of, and unauthorized access to, sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. There are multiple ways to provide this function so the site should be prepared to demonstrate in the "Users" section that different accounts have different AV pairs, domains, or roles. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000910-NDM-000300

ℹ️ Check
Verify users are assigned roles based on the SSP. This requirement does not apply to the account of last resort. From the GUI, navigate to Admin >> AAA >> Security >> Roles or have the site demonstrate the method used for role and privilege separation. Verify that the roles are associated with the users in compliance with the SSP required roles and privileges. Read and write access rights must match the level of granularity required by the SSP. If any user/group or service account are assigned to roles with privileges that are beyond those required and authorized by the organization, this is a finding.

ℹ️ Check

Verify users are assigned roles based on the SSP. This requirement does not apply to the account of last resort. From the GUI, navigate to Admin >> AAA >> Security >> Roles or have the site demonstrate the method used for role and privilege separation. Verify that the roles are associated with the users in compliance with the SSP required roles and privileges. Read and write access rights must match the level of granularity required by the SSP. If any user/group or service account are assigned to roles with privileges that are beyond those required and authorized by the organization, this is a finding.

✔️ Fix
View the SSP to determine the required organization-defined roles and the least privilege policies required for each role. For example, audit administrator, crypto administrator, system administrator, etc. Assign remote users to roles based on SSP and least privileges. Carefully assign capabilities to each role based on SSP role assignments. Remote authentication server is required, but roles can be created, deleted, or associated access privileges to nodes and resources update in the APIC. To create a new role with reduced permissions, do the following: To create or modify roles: 1. From the GUI, navigate to Admin >> AAA >> Security >> Roles. 2. Create custom roles with appropriate privileges (e.g., read-write access to specific objects). 3. Associate users with these roles, allowing them to perform specific tasks within the ACI fabric. Note: This procedure may use preconfigured rules and privileges. Security Domains, Rules, and Custom Roles may also be used depending on the desired architecture and complexity of the implementation. Refer to the vendor documentation to create custom rules, privileges combinations, Rules, and Security domains. These roles are assigned to the remote users in the external authentication server.

✔️ Fix

View the SSP to determine the required organization-defined roles and the least privilege policies required for each role. For example, audit administrator, crypto administrator, system administrator, etc. Assign remote users to roles based on SSP and least privileges. Carefully assign capabilities to each role based on SSP role assignments. Remote authentication server is required, but roles can be created, deleted, or associated access privileges to nodes and resources update in the APIC. To create a new role with reduced permissions, do the following: To create or modify roles: 1. From the GUI, navigate to Admin >> AAA >> Security >> Roles. 2. Create custom roles with appropriate privileges (e.g., read-write access to specific objects). 3. Associate users with these roles, allowing them to perform specific tasks within the ACI fabric. Note: This procedure may use preconfigured rules and privileges. Security Domains, Rules, and Custom Roles may also be used depending on the desired architecture and complexity of the implementation. Refer to the vendor documentation to create custom rules, privileges combinations, Rules, and Security domains. These roles are assigned to the remote users in the external authentication server.