Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
5
Helpful
1
Replies

Access to specific "Endpoint Identity Group"

girafskind
Level 1
Level 1

‎10-12-2020 03:20 AM - edited ‎10-12-2020 03:35 AM

Hi

I have an ISE installation, on there i have an endpoint identity group.

I wish to create a special user, which can be used to login to the GUI, and add/remove endpoints in that specific group.

 

I've made the menu access, data access and the policy, so everything up till now is okay.

When the user logs into ISE, it opens "Work Centers" - "Id Groups" and shows that specific group i gave full access to.

 

But the user can actually create new groups, and delete them again. When i look into the "Data Access" policy, i see that even though i made "Read Only" on the "Endpoint Identity Group" and "Full Access" to the specific group, it does not work.

I i chose "Full Access" to one group, it kind of "backward inherit" that privilege to the "Endpoint Identity Group".

 

To summarize, create a local user on ISE. That user should only have access to view and edit endpoints in one group.

Not being able to create new groups, delete groups, that including the group they have full access to. Only full access to the content of the group, not the group itself.

 

Addition:

I've just disovered, that this user which have full access to one group only, if the user deletes the only group they have access to. They get full access to all groups.

0 Helpful
1 Reply 1

Aref Alsouqi
VIP
VIP

‎10-12-2020 11:28 AM

Not sure if this would be the case, but as there have been a few bugs reported with RBAC permissions on ISE, you might be hitting one of them. I would check on Cisco bug search tool for the version your are running:

https://www.cisco.com/c/en/us/support/web/tools/bst/bsthelp/index.html#search

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents