Showing results for 
Search instead for 
Did you mean: 

How to segregate device admin access to a device group on ISE

Miguel Mejia
Level 1
Level 1


I'm trying to see if it's possible to have ISE use it's RBAC feature to allow a specific group of people administer devices that are part of one device group without allowing them to see anything else. I've been doing some testing and even though the Data Permission for the Admin group only allows full rights to one device group, the user is still able to see and modify all devices.

Is there any way to limit this?



1 Accepted Solution

Accepted Solutions

You may use RBAC based on custom network device groups, but not the default ones. See CSCvb55884.

View solution in original post

5 Replies 5

Cisco Employee
Cisco Employee

You need to tweak menu access. I am not sure if you are referring to Network device groups which is a logical way to categorize devices etc in policy sets. This is different than RBAC.

Here are a few things to think about from RBAC.

1. First try and determine the roles of these administrators to get an idea what they need access to.

2. Map these roles to already existing groups in ISE or create a new one.

3. Use combination of menu and data access to prevent access to UI and configuration.


Thanks for the quick reply.

Yep, I have the AD group assigned to the users in question and the menu access, etc. You are correct, I'm referring to the Network Device groups. Essentially, what I'd like to do is the following:

1. Tim is an admin of the switches in Site 1

2. In ISE I, as the Super Admin of the entire TACACS environment, create the policies to allow Tim to log into his switches and place them into a Network Device Group that he can access. I also give him access based on his AD group to log into ISE and administer the devices within that Network Device Group.

3. Tim logs into ISE and all he sees under Network Devices, are the devices which are part of the Network Device Group that I allow him to see via ISE RBAC.

Is this possible?

Under the Data Permissions I can see that I limit it to a specific Network Device Group, but the user is still able to see and edit all Network Devices that exist, not only the ones that are part of the specific Network Device Group.

You may use RBAC based on custom network device groups, but not the default ones. See CSCvb55884.

Hi Everyone

I have a Design-Question regarding RBAC (trying to avoid CSCvb55884 - related to the Default Network device Groups):
Does anyone use a Design that actually works and which fulfils the following needs:
1. Having ca 20 Sites with Local Admins - which should be able to Add, Change, Delete "their" local-site NAD's in ISE
2. The Site admins should not have access to view NAD-Configuration from other Sites
3. There are Global Technology-Administrator-Groups which should be able to manage only specific Devices Types which are located Centrally and Locally on different sites within ISE
(like central and decentral Firewalls, Switching/Routing, Proxy and so on)

In short : The ISE RBAC-requirements are for the data access:
- ISE Admin-Group Access: Condition: if NAD-Location AND NAD-Type = then Permit access

The testing ive been doing until now has shown a ISE RBAC logic as following:
- ISE Admin-Group Access: Condition: if NAD-Location OR NAD-Type = then Permit access
(and this does not provide enough restricted access enough - and when designing one "Network device Tree" with both "conditions" within that tree - it does not scale = i get hundred / thousands of Groups reflecting each location with all the different device-types within it..

Anyone else knowing how to solve this limitation?

Hi jsteffensen,

we're facing the exact same problem you discribed. Our deployment is growing and we have multiple levels of authorization.

Do you have a solution for this yet?


Changing the Network device groups to one new non-default NDG is no option as our policy sets would need a lot of changes.


If you set full access for the locations only, the local admins can only see them but can't edit the device type which might be necessary.

Please let me know if you have any news about this topic as it's some months old.