Hi
I have an ISE installation, on there i have an endpoint identity group.
I wish to create a special user, which can be used to login to the GUI, and add/remove endpoints in that specific group.
I've made the menu access, data access and the policy, so everything up till now is okay.
When the user logs into ISE, it opens "Work Centers" - "Id Groups" and shows that specific group i gave full access to.
But the user can actually create new groups, and delete them again. When i look into the "Data Access" policy, i see that even though i made "Read Only" on the "Endpoint Identity Group" and "Full Access" to the specific group, it does not work.
I i chose "Full Access" to one group, it kind of "backward inherit" that privilege to the "Endpoint Identity Group".
To summarize, create a local user on ISE. That user should only have access to view and edit endpoints in one group.
Not being able to create new groups, delete groups, that including the group they have full access to. Only full access to the content of the group, not the group itself.
Addition:
I've just disovered, that this user which have full access to one group only, if the user deletes the only group they have access to. They get full access to all groups.