cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3199
Views
10
Helpful
5
Replies

acces right ISE 3.0

cguignard
Level 1
Level 1

Hello,

 

I have an ISE 3.0 and I would like to give access to "Import endpoints from CSV file" in Identities/endpoint to ISE administrators, I already gave access to logs and import menu, but when I click to test it tells me I don't have the rights.

 

Thanks for your help

 

1 Accepted Solution

Accepted Solutions

I don't know what you consider a "site domain" but hopefully Endpoint Identity Groups is what you want since you are importing MAC addresses.

Scenario: "Allow administrator thomas to only import endpoints to the Cisco-IP-Phones endpoint identity group"

 

  1. Create a new Admin Group to only allow IPPhone_Admins to import/manage IP Phone endpoints:

    Screen Shot 2021-08-06 at 2.56.53 PM.png

  2. Create the Admin Data Access permission to only allow Full Access (Read/Write) to the Cisco-IP-Phone endpoint identity group:

    Screen Shot 2021-08-06 at 3.11.45 PM.png

  3. Create the Phone_Admin RBAC_Policy for IPPhone_Admins to only access the IDentity Mangement menu and edit data for Cisco-IP-Phones group:

    Screen Shot 2021-08-06 at 2.58.43 PM.png

  4. Assign admin user thomas in the IPPhone_Admins Admin Group:

    Screen Shot 2021-08-06 at 3.01.10 PM.png

  5. Logout as admin and login as thomas.
    Notice that my menu access is limited only to Identity Management menu:
    Screen Shot 2021-08-06 at 3.01.49 PM.png
  6. Look at the Endpoint Identity Groups...  thomas can only see Cisco-IP-Phones and the parent group(s):
    Screen Shot 2021-08-06 at 3.14.25 PM.png
  7. Go to Context Visibility to Import From File endpoints (IP Phones!) from a CSV file:
    Screen Shot 2021-08-06 at 3.14.52 PM.png
  8. Successfully imported 3 x Cisco IP Phones!
    Note: The Endpoint Profile only matches "Cisco-Device" because it only knows the Cisco MAC address OUI, it doesn't have additional protocol information to classify these as IP Phones yet.
    Screen Shot 2021-08-06 at 3.15.31 PM.png
  9. Go back to Endpoint Identity Groups and see the added phones under Cisco-IP-Phone!
    Screen Shot 2021-08-06 at 3.16.01 PM.png

 8-)

 

 

 

 

View solution in original post

5 Replies 5

Greg Gibbs
Cisco Employee
Cisco Employee

To manage endpoints, you would need the Identity Admin role. The built-in Identity Admin group should provide the permissions you're looking for. See the Admin Guide for more information on the RBAC roles.

i just give access right for "Import endpoints from CSV file" and "live Log" and "Live Sessions", and more when the user import Mac address is just in datase.

 

it would be necessary that the administrator can only import mac addresses on their site domain, and not on all the sites, that's why I made bases by site

 

I don't know what you consider a "site domain" but hopefully Endpoint Identity Groups is what you want since you are importing MAC addresses.

Scenario: "Allow administrator thomas to only import endpoints to the Cisco-IP-Phones endpoint identity group"

 

  1. Create a new Admin Group to only allow IPPhone_Admins to import/manage IP Phone endpoints:

    Screen Shot 2021-08-06 at 2.56.53 PM.png

  2. Create the Admin Data Access permission to only allow Full Access (Read/Write) to the Cisco-IP-Phone endpoint identity group:

    Screen Shot 2021-08-06 at 3.11.45 PM.png

  3. Create the Phone_Admin RBAC_Policy for IPPhone_Admins to only access the IDentity Mangement menu and edit data for Cisco-IP-Phones group:

    Screen Shot 2021-08-06 at 2.58.43 PM.png

  4. Assign admin user thomas in the IPPhone_Admins Admin Group:

    Screen Shot 2021-08-06 at 3.01.10 PM.png

  5. Logout as admin and login as thomas.
    Notice that my menu access is limited only to Identity Management menu:
    Screen Shot 2021-08-06 at 3.01.49 PM.png
  6. Look at the Endpoint Identity Groups...  thomas can only see Cisco-IP-Phones and the parent group(s):
    Screen Shot 2021-08-06 at 3.14.25 PM.png
  7. Go to Context Visibility to Import From File endpoints (IP Phones!) from a CSV file:
    Screen Shot 2021-08-06 at 3.14.52 PM.png
  8. Successfully imported 3 x Cisco IP Phones!
    Note: The Endpoint Profile only matches "Cisco-Device" because it only knows the Cisco MAC address OUI, it doesn't have additional protocol information to classify these as IP Phones yet.
    Screen Shot 2021-08-06 at 3.15.31 PM.png
  9. Go back to Endpoint Identity Groups and see the added phones under Cisco-IP-Phone!
    Screen Shot 2021-08-06 at 3.16.01 PM.png

 8-)

 

 

 

 

cguignard
Level 1
Level 1

Hi,

 

i see that solution, this is the one I had already made.

 

But I didn't want to give access to so many menus, I wanted to restrict the menus. Thanks anyway for your precious help

 

 

Hi @cguignard ,

 when you talk about "... I didn't want to give access to so many menus ...", you mean something like this:

Menu.png

 

If the answer is Yes, you are able to configure the Menus at: Administration > System > Admin Access > Authorization > Permissions > Data Access ... change the Data Access Privileges.

 

Hope this helps !!!