topic Re: Multi-tenant admin group for ISE platform in Network Access Control

Multi-tenant admin group for ISE platform

vidave — Fri, 21 Dec 2018 02:46:13 GMT

Hi Team,

Customer using 2.3P5 version, Currently it only supports single tenancy (ie. Single Admin group). Customer looking at migrating four different networks to this platform and there may be a requirement to have the different operational groups managing their own four network.

What’s the current Roadmap for the ISE Platform?

Thank you,

Regards,

Dave Viral

+6 470254746

Re: Multi-tenant admin group for ISE platform

Arne Bier — Fri, 21 Dec 2018 05:10:36 GMT

You'll have a hard time getting roadmap information on this forum - best to reach out internally to the ISE PM.

Has your customer considered using RBAC? You can create some Data Access restrictions that will ensure that only the right people can edit their allowed devices.

It doesn't seem possible to HIDE the non-allowed devices - but you can enforce adds/changes to be made.

e.g. below the user group member can only edit the devices that are in location IPTEL-LOCATION-MILTON

If they try editing any other devices they get a GUI error.

It's not perfect, but potentially useful. You can hide menu items though - but in a multi-tenanted environment the data hiding is probably more important. It seems like a bug to me that you can specify "No access" to ertain data elements, but ISE will still display the data.

Re: Multi-tenant admin group for ISE platform

hslai — Sat, 22 Dec 2018 02:27:41 GMT

This is possible but with some limitation -- See CSCvb55884