cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

235
Views
0
Helpful
2
Replies
Highlighted
Cisco Employee

Profile a device to an Endpoint group outside of "Profiled Endpoints"

Is there a way to automatically profile a device into a higher level pre defined Endpoint Group. 

i.e.

- Device Group A  --> I want to put it here and not underneath "Profiled Devices"

- Device Group B

- Profiled Devices

          Windows Machines

          MAC Machines

          ESXI Hosts

          etc..

Yes I know we can move an endpoint to another group, no issues there.

The reason for this is I'm defining RBAC for different departments to be able to manage their own devices, but nobody elses.  i.e. a Biomedical department that manages medical devices in a hospital, should be able to add / delete medical devices, but not other devices.

This works well, as long as I assign the Menu Data Access to only the device group at the top tier.  Granting them access to a device group under the "Profiled Devices" hierarchy in turn grants them access to view and modify everything under profiled devices.

Granting up a level where there is no sub tree, displays and only allows them to edit the specific device group which is what the customer wants.  Having a person with more admin rights move the profiled devices to the upper level group isn't operationally feasible as they do not want to involve general "IT" in the management of their endpoints.  Yes we can add devices manually or import them, but we want to take advantage of profiling so they can minimize the touch.

This may be a simple task, but I can't seem to get a device to profile, and populate something outside of the "Profiled Endpoints" group.

Any thoughts are appreciated.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Re: Profile a device to an Endpoint group outside of "Profiled Endpoints"

The option to automatically map profile to endpoint ID group via the "Yes, create matching Identity Group" option is limited to the Profiled category.  You cannot override that. Current logic is to create all of these dynamic profile groups under the same top level group "Profiled".

It is possible to create a script that automatically assigns devices in a specific profile to a select ID group via ERS API, but then you should not use the profiler auto ID group option.  Devices will be dynamically added/removed based on matching profile using the "Create matching ID group" option.  It is not static unless create exception actions and apply to profile.

Craig

View solution in original post

2 REPLIES 2
Highlighted
Advocate

Re: Profile a device to an Endpoint group outside of "Profiled Endpoints"

The option to automatically map profile to endpoint ID group via the "Yes, create matching Identity Group" option is limited to the Profiled category.  You cannot override that. Current logic is to create all of these dynamic profile groups under the same top level group "Profiled".

It is possible to create a script that automatically assigns devices in a specific profile to a select ID group via ERS API, but then you should not use the profiler auto ID group option.  Devices will be dynamically added/removed based on matching profile using the "Create matching ID group" option.  It is not static unless create exception actions and apply to profile.

Craig

View solution in original post

Highlighted
VIP Engager

Re: Profile a device to an Endpoint group outside of "Profiled Endpoints"

You can use RBAC to lock down at whatever level you want you just have to remember that you need to give them read/write access to move them out of the current identity group assignment.

I was easily able to lock down an RBAC group to only be able to control the Android profiled group on the Identity group.  I gave myself Context Visibility->Endpoints and Identity Management->Groups menu access and access to read/write the Unknown, Profiled top level and Android under Profiled.  All other identity groups under profiled had no access and all other groups had no access.

I was able to assign a MAC address that was in the Unknown or general Profiled category to the Android group just fine.  If the MAC address was in one of the profiled sub folders I couldn't see it nor manipulate it.