Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
825
Views
5
Helpful
2
Replies

how to limit Network Admin access rights ONLY to the devices in their OWN region

Go to solution
j0liu001
Level 1
Level 1

‎01-30-2019 12:05 PM

I have a group of network admins around the globe, I need to limit their access rights ONLY to the devices in their OWN region.

For example: Group A only have access to network devices physically located in America, Group B only have access to network devices in Europe, Group C only have access to network devices in APAC  … etc. 

 

All the devices are already populated in ISE, and Users for Groups A, B and C are already configured in AD (which is integrated in ISE), I just can’t figure out the next step.

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎01-30-2019 12:24 PM

You need to create the correct AD structure to support the model you want.  Your AD groups should look something like this:

 

Network-Admin-Global

Network-Admin-NA

Network-Admin-LATAM

Network-Admin-EMEA

Network-Admin-APAC

 

Then in ISE you define you location structure:

 

All Locations#NA

All Locations#NA#Wisconsin

All Locations#LATAM

All Locations#LATAM#Mexico

All Locations#EMEA

All Locations#EMEA#France

All Locations#APAC

All Locations#APAC#China

 

Then you simply write your rules

 

if member of Network-Admin-Global then full access

if member of Network-Admin-NA and device location starts with All Locations#NA then full access

if member of Network-Admin-LATAM and device location starts with All Locations#LATAM then full access

if member of Network-Admin-EMEA and device location starts with All Locations#EMEA then full access

if member of Network-Admin-APAC and device location starts with All Locations#APAC then full access

 

This same scheme allows you to have country level administrators as well:

 

if member of Network-Admin-China and device location starts with All Locations#APAC#China then full access

 

You could possibly do other things with applying codes in AD attributes to match NDG codes on the device, but I have done the AD groups before and it is logical.  If you have an admin that works on both EMEA and APAC equipment then you just him to both AD groups.

 

 

 

 

View solution in original post

2 Replies 2

Go to solution
paul
Level 10
Level 10

‎01-30-2019 12:24 PM

You need to create the correct AD structure to support the model you want.  Your AD groups should look something like this:

 

Network-Admin-Global

Network-Admin-NA

Network-Admin-LATAM

Network-Admin-EMEA

Network-Admin-APAC

 

Then in ISE you define you location structure:

 

All Locations#NA

All Locations#NA#Wisconsin

All Locations#LATAM

All Locations#LATAM#Mexico

All Locations#EMEA

All Locations#EMEA#France

All Locations#APAC

All Locations#APAC#China

 

Then you simply write your rules

 

if member of Network-Admin-Global then full access

if member of Network-Admin-NA and device location starts with All Locations#NA then full access

if member of Network-Admin-LATAM and device location starts with All Locations#LATAM then full access

if member of Network-Admin-EMEA and device location starts with All Locations#EMEA then full access

if member of Network-Admin-APAC and device location starts with All Locations#APAC then full access

 

This same scheme allows you to have country level administrators as well:

 

if member of Network-Admin-China and device location starts with All Locations#APAC#China then full access

 

You could possibly do other things with applying codes in AD attributes to match NDG codes on the device, but I have done the AD groups before and it is logical.  If you have an admin that works on both EMEA and APAC equipment then you just him to both AD groups.

 

 

 

 

Go to solution
j0liu001
Level 1
Level 1
In response to paul

‎01-30-2019 12:38 PM

Thanks a lot, Paul !  ... The missing piece is "Rule" :=)

 

Regards

0 Helpful
Customers Also Viewed These Support Documents