cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

164
Views
15
Helpful
7
Replies
Highlighted
Rising star

ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

Hi everyone,

 

While creating custom menus for custom admin groups, I came across an issue where my groups don't have permissions to acknowledge any alarms even if my custom admin group has almost the exact same menu permissions as Super Admin, with full access for Data Access. 

 

I've confirmed this issue is replicated whether using an external user or an internal user.

 

1) Must a user be assigned to either Super Admin or System Admin to acknowledge any alarm?

2) Is there an open bug for this issue?

 

Thanks!

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

I just tried the current ISE 2.5 beta build (2.5.0.353) and able to ack the alarms as an M&T admin. Other than that, Surendra is correct -- No data access restriction on alarms.

7 REPLIES 7
Cisco Employee

Re: ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

Data Access permission is still limited to few data sets. It is not implemented for the entirety of the ISE yet. This is an expected behavior as far as i know but would qualify as an enhancement request though. @Jason Kunst let me know your thoughts on this one.

Cisco Employee

Re: ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

I just tried the current ISE 2.5 beta build (2.5.0.353) and able to ack the alarms as an M&T admin. Other than that, Surendra is correct -- No data access restriction on alarms.

Rising star

Re: ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

Are you able to do so with a custom admin group with custom menu access?
Rising star

Re: ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

So I need to open an enhancement request.

Thanks for confirming!

Cisco Employee

Re: ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

Updating the thread here- 

 

after discussion with engineering, 

Alarm acknowledgement is allowed only for the following permission/group.

 

  • When a user belongs to Super Admin/System Admin/MnT Admin group.
  • When a user belongs to any custom group with "Super Admin Data Access & Super Admin Menu Access" permission
  • When a user belongs to any custom group with "System Admin Data Access & System Admin Menu Access" permission

 

In all other cases, the acknowledgement action is not permitted. So even when we duplicate the system defined permission/group, the alarm acknowledgement is restricted for the user.

This is due to static checks in the code and hence by design.

 

Cisco Employee

Re: ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

Updating the thread here- 

 

after discussion with engineering, 

Alarm acknowledgement is allowed only for the following permission/group.

 

  • When a user belongs to Super Admin/System Admin/MnT Admin group.
  • When a user belongs to any custom group with "Super Admin Data Access & Super Admin Menu Access" permission
  • When a user belongs to any custom group with "System Admin Data Access & System Admin Menu Access" permission

 

In all other cases, the acknowledgement action is not permitted. So even when we duplicate the system defined permission/group, the alarm acknowledgement is restricted for the user.

This is due to static checks in the code and hence by design.

 

Rising star

Re: ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

Thanks for the update,

 

That does seem like an oversight, since it would be expected that certain staff with external credentials can be assigned custom roles and yet be able to acknowledge any alarm. This is the only function I've seen which can't be mandated with custom roles.