https://community.cisco.com/t5/network-access-control/cisco-acs-access-restriction/m-p/3920047#M440522 <P>We are running ACS 5.8 in the environment . We have a requirement to restrict access to one specific user group (part of single identity group) to RO access to all devices . How can i write an access policy to achieve ? Do we have specific shell profile &amp; command sets to restrict access ..</P> Fri, 06 Sep 2019 07:50:39 GMT Sreejith.S 2019-09-06T07:50:39Z https://community.cisco.com/t5/network-access-control/cisco-acs-access-restriction/m-p/3920047#M440522 <P>We are running ACS 5.8 in the environment . We have a requirement to restrict access to one specific user group (part of single identity group) to RO access to all devices . How can i write an access policy to achieve ? Do we have specific shell profile &amp; command sets to restrict access ..</P> Fri, 06 Sep 2019 07:50:39 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-access-restriction/m-p/3920047#M440522 Sreejith.S 2019-09-06T07:50:39Z https://community.cisco.com/t5/network-access-control/cisco-acs-access-restriction/m-p/3920082#M440527 <P>Hi,</P><P>&nbsp;</P><P>You will need to affect shell privilege and command set in result profile linked to a condition that match your identity group.</P><P>&nbsp;</P><P>Did you try this :&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html</A></P><P>&nbsp;</P><P>HTH</P><P>&nbsp;</P> Fri, 06 Sep 2019 09:05:13 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-access-restriction/m-p/3920082#M440527 ssambourg 2019-09-06T09:05:13Z