This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm trying to see if it's possible to have ISE use it's RBAC feature to allow a specific group of people administer devices that are part of one device group without allowing them to see anything else. I've been doing some testing and even though the Data Permission for the Admin group only allows full rights to one device group, the user is still able to see and modify all devices.
Is there any way to limit this?
Solved! Go to Solution.
You need to tweak menu access. I am not sure if you are referring to Network device groups which is a logical way to categorize devices etc in policy sets. This is different than RBAC.
Here are a few things to think about from RBAC.
1. First try and determine the roles of these administrators to get an idea what they need access to.
2. Map these roles to already existing groups in ISE or create a new one.
3. Use combination of menu and data access to prevent access to UI and configuration.
Thanks for the quick reply.
Yep, I have the AD group assigned to the users in question and the menu access, etc. You are correct, I'm referring to the Network Device groups. Essentially, what I'd like to do is the following:
1. Tim is an admin of the switches in Site 1
2. In ISE I, as the Super Admin of the entire TACACS environment, create the policies to allow Tim to log into his switches and place them into a Network Device Group that he can access. I also give him access based on his AD group to log into ISE and administer the devices within that Network Device Group.
3. Tim logs into ISE and all he sees under Network Devices, are the devices which are part of the Network Device Group that I allow him to see via ISE RBAC.
Is this possible?
Under the Data Permissions I can see that I limit it to a specific Network Device Group, but the user is still able to see and edit all Network Devices that exist, not only the ones that are part of the specific Network Device Group.
I have a Design-Question regarding RBAC (trying to avoid CSCvb55884 - related to the Default Network device Groups):
Does anyone use a Design that actually works and which fulfils the following needs:
1. Having ca 20 Sites with Local Admins - which should be able to Add, Change, Delete "their" local-site NAD's in ISE
2. The Site admins should not have access to view NAD-Configuration from other Sites
3. There are Global Technology-Administrator-Groups which should be able to manage only specific Devices Types which are located Centrally and Locally on different sites within ISE
(like central and decentral Firewalls, Switching/Routing, Proxy and so on)
In short : The ISE RBAC-requirements are for the data access:
- ISE Admin-Group Access: Condition: if NAD-Location AND NAD-Type = then Permit access
The testing ive been doing until now has shown a ISE RBAC logic as following:
- ISE Admin-Group Access: Condition: if NAD-Location OR NAD-Type = then Permit access
(and this does not provide enough restricted access enough - and when designing one "Network device Tree" with both "conditions" within that tree - it does not scale = i get hundred / thousands of Groups reflecting each location with all the different device-types within it..
Anyone else knowing how to solve this limitation?