Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1661
Views
0
Helpful
6
Replies

Grant Read-Only access to ISE DACLs

Go to solution
anthonylofreso
Level 4
Level 4

‎08-29-2018 10:55 AM

TL:DR... Is there a simple way to share (solely) DACL information. Any add/del/chg regarding DACLs would be of interest.

 

If you view the DACL_Report_Details screenshot attached, can I somehow pull a logfile from ISE that contains a running list of the Modified Properties section:

 

object created: dACL=permit ip any any dACLGenerationId=1535560553\RESOURCE=blah_blah

 

endtldr

Our infosec team requested read access to our ISE deployment, prompting me to jump into the RBAC config for the first time. I'm noticing (per the attached ISE_RO screenshot) that this is not as granular as I thought it would be.

 

Initially I thought I could create an account with Read-Only access to basically the entire GUI... but quickly discovered that if a menu is visible to a user, it's God mode always for that menu.

 

So then I thought, this if fine. I'll give access to just: Operations > Reports... but when you do this and login as the user, it tries to drop them on the default Operations > RADIUS > Live Logs page. And since the user does not have permissions to view the Live Logs page, it just spams you with "Page not accessible ... The page you are trying to load is not accessible due to insufficient privileges." and you cannot navigate away.

 

Onto the next idea. I really only care about sharing details regarding DACLs. So I built a report (DACL_Report.png attached) and noticed that when you click on the blue Event link, you get a nice detailed summary of all the information one would want (DACL_Report_Details.png attached). Though from what I can tell there's no easy way to export the information displayed on the Configuration Audit Detail page.

 

Any ideas?

Preview file
30 KB
Preview file
45 KB
Preview file
79 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎08-29-2018 01:26 PM

What version are you running.  There is built in role in 2.3+ for Read-Only Admin which is the exact role you give to security/auditors.  They can see everything and do nothing.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paul
Level 10
Level 10

‎08-29-2018 01:26 PM

What version are you running.  There is built in role in 2.3+ for Read-Only Admin which is the exact role you give to security/auditors.  They can see everything and do nothing.

0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4
In response to paul

‎08-29-2018 02:14 PM

Ah, good to know. We run 2.2 patch 5
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to anthonylofreso

‎08-29-2018 02:16 PM

I am pretty sure I did a manual Read-Only prior to the role being added. You give them full access to the GUI, but you make sure the data set you assign them has everything set to read-only.


0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4
In response to paul

‎08-29-2018 02:19 PM

I did try that, but the data sets seem to be limited to things like endpoints, and identity groups. I was able to delete dacls all day long as the read only user
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to anthonylofreso

‎08-29-2018 02:25 PM

Yeah I think that sounds right. Easy solution just upgrade ISE. :)


0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4
In response to paul

‎08-29-2018 06:29 PM

Ugh. Yay.
0 Helpful
Customers Also Viewed These Support Documents