https://community.cisco.com/t5/network-access-control/roll-based-access-control/m-p/3837682#M473878 <P>got this question from a customer</P> <P>&nbsp;</P> <P><SPAN style="caret-color: #000000; color: #000000; font-family: Calibri, sans-serif; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline !important; float: none;">Is there a way to restrict an ISE Admin to maintaining policy for certain Identity Groups?</SPAN></P> <P>&nbsp;</P> <P><SPAN style="caret-color: #000000; color: #000000; font-family: Calibri, sans-serif; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline !important; float: none;">Any help would be greatly appreciated.</SPAN></P> Fri, 12 Apr 2019 15:14:40 GMT darnorri 2019-04-12T15:14:40Z https://community.cisco.com/t5/network-access-control/roll-based-access-control/m-p/3837682#M473878 <P>got this question from a customer</P> <P>&nbsp;</P> <P><SPAN style="caret-color: #000000; color: #000000; font-family: Calibri, sans-serif; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline !important; float: none;">Is there a way to restrict an ISE Admin to maintaining policy for certain Identity Groups?</SPAN></P> <P>&nbsp;</P> <P><SPAN style="caret-color: #000000; color: #000000; font-family: Calibri, sans-serif; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline !important; float: none;">Any help would be greatly appreciated.</SPAN></P> Fri, 12 Apr 2019 15:14:40 GMT https://community.cisco.com/t5/network-access-control/roll-based-access-control/m-p/3837682#M473878 darnorri 2019-04-12T15:14:40Z https://community.cisco.com/t5/network-access-control/roll-based-access-control/m-p/3837754#M473880 As far as I know you cannot accomplish that scenario. As far as Authorization permissions for RBACL it is broken down by Menu and Data access. In the Menu access you can either Show or Hide all policy sets. However, you can grant RBACL for the admins to only manage their specific identity groups via specific configuration under Data access. That would be similar to modifying the Policy Admin Data Access role. HTH! Fri, 12 Apr 2019 17:29:24 GMT https://community.cisco.com/t5/network-access-control/roll-based-access-control/m-p/3837754#M473880 Mike.Cifelli 2019-04-12T17:29:24Z