cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

296
Views
0
Helpful
2
Replies
Highlighted
Beginner

ACS or ISE restricted admins

Situation:

Right now I have a 3-node ACS 5.4 (soon to be 5.5) installation which provides network device authentication to a single business units routers/switches/etc. The cluster has the large-site and advanced Logging/monitoring licenses.

 

Now, after running it solely within my business unit for a number of years, various groups in the corporate hierarchy outside my business unit have expressed interest in leveraging our investment to authenticate other kinds of devices controlled by different administrator groups but a sticking point is the inability to restrict ACS administrators beyond which sections of the GUI they can interact with. Because all the different groups are separate administrative entities, there is good reason to want that kind of restriction.   

 

Question

Is there any way in ACS to restrict an administrators access more granularly then GUI elements? For example, Administrator A should only be able to perform CRUD operations on Device group Y, while Administrator B should only be ably to perform CRUD operations on device group Z. If not in ACS, is it possible in ISE? Device groups are the only things really impacted by this, most of the rest can be worked out politically.

 

I will mention that I am not really interested in using the REST API's to create my own front-end unless that really is the only way.

2 REPLIES 2
Highlighted
Participant

Hey,As of now no options for

Hey,

As of now no options for this feature implementation.

A feature request from your end should get this going.

Regards,

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Highlighted
Cisco Employee

for Role-Based Access Control

for Role-Based Access Control in Cisco ISE

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_admin.html#pgfId-1595872