cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3926
Views
5
Helpful
1
Replies

ISE 2.4 Creating Read-Only Admin Account.

svalchev
Cisco Employee
Cisco Employee

Hello everyone,

 

I am new to ISE and after going through some of documentation I am having problems getting this specific setup to work. The version of ISE is 2.4 and it doesn't have any cumulative patches installed.

 

The context for the situation is that a customer needs to have an administrator account that has read/view access to all fields/menus within ISE but can only have the same write permissions as the default Identity administrator user profile.

The initial approach was just to create a new administrator group for that user and to assign a RBAC policy with Super Admin Menu Access an Identity Admin Data Access as shown in the pictures below (I understand Identity Admin Data Access would limit some of the information that can be read but thats beside the point).

 

Admin Group

image.png

RBAC Policy

image.png

 

The problem is that with this RBAC policy, tester 1 is obtaining write permissions to sections that the identity admin doesn't have access to and that defeats the original purpose (having an admin that can see everything but only edit sections that the identity admin can)

For example by using this RBAC policy tester 1 has the capacity to change adaptive network control and also can access the Policy section and perform changes inside the section:

image.png

Meanwhile the Identity admin doesn't have access to this:

image.png

 

 

 

If I do a side by side comparison of both the menu and data access permissions I can see that there are less data access permissions and that those are very specific which leads me to believe that the menu and data permissions do not match on a 1 by 1 basis.

 

image.pngimage.png

 

From all of this I'm concluding that showing some menus leads to admins not only view but also inherent write permissions to that menu (if the menu is modifiable like the Policy Section and Adaptive Network Control)

Is this expect behaviour?

 

And also if this is expected behaviour, is there some way of accomplishing the aforementioned task (for example, the admin can see the ANC section but not modify anything)?

One of the suggestions that I was given was just setting up an Identity admin and using the Operations/Reports functionality. While this is an alternative that increases transparency it does't really solve the problem. I believe there is also already a managed service in place to deal with logging.

 

Any help would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

What you described is not yet supported. See CSCvm01451 ENH: Read-Only Access to Policy Set's while having Read-Write to other sections

Instead, create a separate read-only user account, with the built-in "Read Only Admin" Group, which has "Read Only Admin Policy". The menu access is the only customizable item.

View solution in original post

1 Reply 1

hslai
Cisco Employee
Cisco Employee

What you described is not yet supported. See CSCvm01451 ENH: Read-Only Access to Policy Set's while having Read-Write to other sections

Instead, create a separate read-only user account, with the built-in "Read Only Admin" Group, which has "Read Only Admin Policy". The menu access is the only customizable item.