Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1105
Views
15
Helpful
7
Replies

ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

Go to solution
Nadav
Level 7
Level 7

‎12-03-2018 08:32 AM

Hi everyone,

 

While creating custom menus for custom admin groups, I came across an issue where my groups don't have permissions to acknowledge any alarms even if my custom admin group has almost the exact same menu permissions as Super Admin, with full access for Data Access. 

 

I've confirmed this issue is replicated whether using an external user or an internal user.

 

1) Must a user be assigned to either Super Admin or System Admin to acknowledge any alarm?

2) Is there an open bug for this issue?

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-04-2018 01:26 PM - edited ‎12-04-2018 01:28 PM

I just tried the current ISE 2.5 beta build (2.5.0.353) and able to ack the alarms as an M&T admin. Other than that, Surendra is correct -- No data access restriction on alarms.

View solution in original post

7 Replies 7

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-03-2018 02:33 PM

Data Access permission is still limited to few data sets. It is not implemented for the entirety of the ISE yet. This is an expected behavior as far as i know but would qualify as an enhancement request though. @Jason Kunst let me know your thoughts on this one.

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-04-2018 01:26 PM - edited ‎12-04-2018 01:28 PM

I just tried the current ISE 2.5 beta build (2.5.0.353) and able to ack the alarms as an M&T admin. Other than that, Surendra is correct -- No data access restriction on alarms.

Go to solution
Nadav
Level 7
Level 7
In response to hslai

‎12-04-2018 02:12 PM

Are you able to do so with a custom admin group with custom menu access?
0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to hslai

‎12-04-2018 09:06 PM

So I need to open an enhancement request.

Thanks for confirming!

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to hslai

‎12-18-2018 06:06 AM

Updating the thread here- 

 

after discussion with engineering, 

Alarm acknowledgement is allowed only for the following permission/group.

 

  • When a user belongs to Super Admin/System Admin/MnT Admin group.
  • When a user belongs to any custom group with "Super Admin Data Access & Super Admin Menu Access" permission
  • When a user belongs to any custom group with "System Admin Data Access & System Admin Menu Access" permission

 

In all other cases, the acknowledgement action is not permitted. So even when we duplicate the system defined permission/group, the alarm acknowledgement is restricted for the user.

This is due to static checks in the code and hence by design.

 

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to hslai

‎12-18-2018 06:06 AM

Updating the thread here- 

 

after discussion with engineering, 

Alarm acknowledgement is allowed only for the following permission/group.

 

  • When a user belongs to Super Admin/System Admin/MnT Admin group.
  • When a user belongs to any custom group with "Super Admin Data Access & Super Admin Menu Access" permission
  • When a user belongs to any custom group with "System Admin Data Access & System Admin Menu Access" permission

 

In all other cases, the acknowledgement action is not permitted. So even when we duplicate the system defined permission/group, the alarm acknowledgement is restricted for the user.

This is due to static checks in the code and hence by design.

 

Go to solution
Nadav
Level 7
Level 7
In response to Nidhi

‎12-18-2018 10:08 AM

Thanks for the update,

 

That does seem like an oversight, since it would be expected that certain staff with external credentials can be assigned custom roles and yet be able to acknowledge any alarm. This is the only function I've seen which can't be mandated with custom roles. 

0 Helpful
Customers Also Viewed These Support Documents