ACS or ISE restricted admins

Nathan Spitzer · ‎04-14-2014

Situation:

Right now I have a 3-node ACS 5.4 (soon to be 5.5) installation which provides network device authentication to a single business units routers/switches/etc. The cluster has the large-site and advanced Logging/monitoring licenses.

Now, after running it solely within my business unit for a number of years, various groups in the corporate hierarchy outside my business unit have expressed interest in leveraging our investment to authenticate other kinds of devices controlled by different administrator groups but a sticking point is the inability to restrict ACS administrators beyond which sections of the GUI they can interact with. Because all the different groups are separate administrative entities, there is good reason to want that kind of restriction.

Question

Is there any way in ACS to restrict an administrators access more granularly then GUI elements? For example, Administrator A should only be able to perform CRUD operations on Device group Y, while Administrator B should only be ably to perform CRUD operations on device group Z. If not in ACS, is it possible in ISE? Device groups are the only things really impacted by this, most of the rest can be worked out politically.

I will mention that I am not really interested in using the REST API's to create my own front-end unless that really is the only way.

edwjames · ‎04-14-2014

Hey,

As of now no options for this feature implementation.

A feature request from your end should get this going.

Regards,

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Venkatesh Attuluri · ‎04-16-2014

for Role-Based Access Control in Cisco ISE

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_admin.html#pgfId-1595872