Solved: Re: ISE 2.4: Alarms can only be ack'd with Super Admin or System Admin

Nadav · ‎12-03-2018

Hi everyone,

While creating custom menus for custom admin groups, I came across an issue where my groups don't have permissions to acknowledge any alarms even if my custom admin group has almost the exact same menu permissions as Super Admin, with full access for Data Access.

I've confirmed this issue is replicated whether using an external user or an internal user.

1) Must a user be assigned to either Super Admin or System Admin to acknowledge any alarm?

2) Is there an open bug for this issue?

Thanks!

hslai · ‎12-04-2018

I just tried the current ISE 2.5 beta build (2.5.0.353) and able to ack the alarms as an M&T admin. Other than that, Surendra is correct -- No data access restriction on alarms.

View solution in original post

Surendra · ‎12-03-2018

Data Access permission is still limited to few data sets. It is not implemented for the entirety of the ISE yet. This is an expected behavior as far as i know but would qualify as an enhancement request though. @Jason Kunst let me know your thoughts on this one.

hslai · ‎12-04-2018

I just tried the current ISE 2.5 beta build (2.5.0.353) and able to ack the alarms as an M&T admin. Other than that, Surendra is correct -- No data access restriction on alarms.

Nadav · ‎12-04-2018

Are you able to do so with a custom admin group with custom menu access?

Nadav · ‎12-04-2018

So I need to open an enhancement request.

Thanks for confirming!

Nidhi · ‎12-18-2018

Updating the thread here-

after discussion with engineering,

Alarm acknowledgement is allowed only for the following permission/group.

When a user belongs to Super Admin/System Admin/MnT Admin group.
When a user belongs to any custom group with "Super Admin Data Access & Super Admin Menu Access" permission
When a user belongs to any custom group with "System Admin Data Access & System Admin Menu Access" permission

In all other cases, the acknowledgement action is not permitted. So even when we duplicate the system defined permission/group, the alarm acknowledgement is restricted for the user.

This is due to static checks in the code and hence by design.

Nidhi · ‎12-18-2018

Updating the thread here-

after discussion with engineering,

Alarm acknowledgement is allowed only for the following permission/group.

When a user belongs to Super Admin/System Admin/MnT Admin group.
When a user belongs to any custom group with "Super Admin Data Access & Super Admin Menu Access" permission
When a user belongs to any custom group with "System Admin Data Access & System Admin Menu Access" permission

In all other cases, the acknowledgement action is not permitted. So even when we duplicate the system defined permission/group, the alarm acknowledgement is restricted for the user.

This is due to static checks in the code and hence by design.

Nadav · ‎12-18-2018

Thanks for the update,

That does seem like an oversight, since it would be expected that certain staff with external credentials can be assigned custom roles and yet be able to acknowledge any alarm. This is the only function I've seen which can't be mandated with custom roles.