08-21-2019 06:05 AM
Hello everyone,
I am new to ISE and after going through some of documentation I am having problems getting this specific setup to work. The version of ISE is 2.4 and it doesn't have any cumulative patches installed.
The context for the situation is that a customer needs to have an administrator account that has read/view access to all fields/menus within ISE but can only have the same write permissions as the default Identity administrator user profile.
The initial approach was just to create a new administrator group for that user and to assign a RBAC policy with Super Admin Menu Access an Identity Admin Data Access as shown in the pictures below (I understand Identity Admin Data Access would limit some of the information that can be read but thats beside the point).
Admin Group
RBAC Policy
The problem is that with this RBAC policy, tester 1 is obtaining write permissions to sections that the identity admin doesn't have access to and that defeats the original purpose (having an admin that can see everything but only edit sections that the identity admin can)
For example by using this RBAC policy tester 1 has the capacity to change adaptive network control and also can access the Policy section and perform changes inside the section:
Meanwhile the Identity admin doesn't have access to this:
If I do a side by side comparison of both the menu and data access permissions I can see that there are less data access permissions and that those are very specific which leads me to believe that the menu and data permissions do not match on a 1 by 1 basis.
From all of this I'm concluding that showing some menus leads to admins not only view but also inherent write permissions to that menu (if the menu is modifiable like the Policy Section and Adaptive Network Control)
Is this expect behaviour?
And also if this is expected behaviour, is there some way of accomplishing the aforementioned task (for example, the admin can see the ANC section but not modify anything)?
One of the suggestions that I was given was just setting up an Identity admin and using the Operations/Reports functionality. While this is an alternative that increases transparency it does't really solve the problem. I believe there is also already a managed service in place to deal with logging.
Any help would be greatly appreciated.
Solved! Go to Solution.
09-03-2019 11:05 AM
What you described is not yet supported. See CSCvm01451 ENH: Read-Only Access to Policy Set's while having Read-Write to other sections
Instead, create a separate read-only user account, with the built-in "Read Only Admin" Group, which has "Read Only Admin Policy". The menu access is the only customizable item.
09-03-2019 11:05 AM
What you described is not yet supported. See CSCvm01451 ENH: Read-Only Access to Policy Set's while having Read-Write to other sections
Instead, create a separate read-only user account, with the built-in "Read Only Admin" Group, which has "Read Only Admin Policy". The menu access is the only customizable item.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide