https://community.cisco.com/t5/network-access-control/rbac-in-ise-2-2/m-p/3523969#M519544 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have some trouble with RBAC on ISE 2.2.0.470 and I hope somebody can clarify this.</P><P></P><P>I need different Network Device Admin groups for different locations. For example Network Device Admin from France should be able to see and edit Network Devices with location France (my own tag) and an admin from Poland should be able to see and edit all devices from Poland.</P><P></P><P>so I created different admin user groups&nbsp; and mapped them with RBAC Policy to default "Network Device Menu Access" view and custom Data groups for different locations, so far it works. But now I have some issues with data access. It doesn't matter which Data Access Privileges I give - users can see all devices or none.</P><P></P><P>Here is an example for admin user for Poland. in Data Access Permissions only location "Poland" has "Full Access", all other "no Access". But the user is able to see also all other locations.</P><P><IMG alt="permissions_ise.png" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/113647_permissions_ise.png" style="height: 538px; width: 620px;" /></P><P><IMG alt="RBAC Policy.png" class="jive-image image-3" src="/legacyfs/online/fusion/113649_RBAC Policy.png" style="height: 116px; width: 620px;" /></P><P><IMG alt="poland.PNG" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/113648_poland.PNG" style="height: 254px; width: 620px;" /></P><P></P><P>As You can see, the user is also able to see all other locations.</P><P></P><P>What could be my problem? </P></BODY></HTML> Fri, 24 Nov 2017 09:38:49 GMT Thomas Schmitt 2017-11-24T09:38:49Z https://community.cisco.com/t5/network-access-control/rbac-in-ise-2-2/m-p/3523969#M519544 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have some trouble with RBAC on ISE 2.2.0.470 and I hope somebody can clarify this.</P><P></P><P>I need different Network Device Admin groups for different locations. For example Network Device Admin from France should be able to see and edit Network Devices with location France (my own tag) and an admin from Poland should be able to see and edit all devices from Poland.</P><P></P><P>so I created different admin user groups&nbsp; and mapped them with RBAC Policy to default "Network Device Menu Access" view and custom Data groups for different locations, so far it works. But now I have some issues with data access. It doesn't matter which Data Access Privileges I give - users can see all devices or none.</P><P></P><P>Here is an example for admin user for Poland. in Data Access Permissions only location "Poland" has "Full Access", all other "no Access". But the user is able to see also all other locations.</P><P><IMG alt="permissions_ise.png" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/113647_permissions_ise.png" style="height: 538px; width: 620px;" /></P><P><IMG alt="RBAC Policy.png" class="jive-image image-3" src="/legacyfs/online/fusion/113649_RBAC Policy.png" style="height: 116px; width: 620px;" /></P><P><IMG alt="poland.PNG" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/113648_poland.PNG" style="height: 254px; width: 620px;" /></P><P></P><P>As You can see, the user is also able to see all other locations.</P><P></P><P>What could be my problem? </P></BODY></HTML> Fri, 24 Nov 2017 09:38:49 GMT https://community.cisco.com/t5/network-access-control/rbac-in-ise-2-2/m-p/3523969#M519544 Thomas Schmitt 2017-11-24T09:38:49Z https://community.cisco.com/t5/network-access-control/rbac-in-ise-2-2/m-p/3523970#M519548 <HTML><HEAD></HEAD><BODY><P>See my response @ <A _jive_internal="true" href="https://community.cisco.com/thread/87388">How to segregate device admin access to a device group on ISE</A></P></BODY></HTML> Sun, 26 Nov 2017 22:36:12 GMT https://community.cisco.com/t5/network-access-control/rbac-in-ise-2-2/m-p/3523970#M519548 hslai 2017-11-26T22:36:12Z