topic Authorization, restrict commands in Network Access Control

Authorization, restrict commands

cgarcia02 — Mon, 11 Mar 2019 02:45:35 GMT

Hello all, I have a problem, I am using ACS 5.3 I have a two set of DeviceGroups (router & switch) and two set of users (G1,G2), here is my question, how can I achieve this:

G1: can hace full access to DeviceGroup1 and DeviceGrup2 --> This works

here comes the tricky part for me....

G2: can have "read only" access to DeviceGroup1 but full access to DeviceGroup2

Have anyone asked this before or is there any document on how to do this.

Thanks a lot!!

Re: Authorization, restrict commands

nspasov — Fri, 09 Nov 2012 23:35:09 GMT

Hello Cesar-

You can definitely do this in ACS. When you are creating your authorization policies you can be very flexible with the way you grant and deny access to your devices. For your example, you can build rules that are based on:

1. The end user identity group (this can be both internal or AD)

2. The devices type (Switches, routers, etc)

3. The device location (Campus A, Campus B, etc)

So for example, if the user is in the network admin group then he/she will be given full access regardless of device location/type (1st screen shot) but if the user is let's say a "switch admin" then that user will be given full access to switches (2nd screen shot) but only read only access to routers (3rd screen shot)

I hope this makes sense!

Thank you for rating!

Re: Authorization, restrict commands

cgarcia02 — Mon, 12 Nov 2012 17:25:46 GMT

Hello Neno, thanks a lot this is what I was looking for, it worked !

Re: Authorization, restrict commands

nspasov — Mon, 12 Nov 2012 18:31:00 GMT

Good to hear and glad I could help!