Solved: Re: Restrict accessing specific data for ERS API access

masyamad · ‎08-30-2018

Hi dev team,

Now my customer is considering specific admin user can access only some specific network user group.

It could be achieved by admin authorization policy. (Administration -> Authorization -> Policy).

It does work as expected, but when we tried to configure same user group via ERS API, we faced un-authorized error. Do we need special configuration for restrict data area via ERS API access?

hslai · ‎08-31-2018

Prerequisites for Using the External RESTful Services API Calls says,

You must have External RESTful Services Admin privileges.

View solution in original post

hslai · ‎08-30-2018

ERS API does not follow the same RBAC as those used in ISE admin web UI. I believe you need to discuss this requirement with our PM team and raise it as an enhancement.

masyamad · ‎08-30-2018

> ERS API does not follow the same RBAC as those used in ISE admin web UI.
I see. Thanks. Actually I & my customer didn't notice the implementation during design session for admin access.
I hope the behavior is documented on admin access section on ISE guides.

- ISE guides: Admin Access Policies
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0101.html

hslai · ‎08-31-2018

Prerequisites for Using the External RESTful Services API Calls says,

You must have External RESTful Services Admin privileges.

masyamad · ‎09-11-2018

Thanks. But it's different URL. I hope Admin Access Policies also has similar description.