I like ADE-OS for its simplicity in configuring the basics - I think it should remain as a configuration shim layer for 99% of CLI access.

I can understand why Cisco would remove the ability to access the Linux OS, but it would only apply to those few bad apples out there who have gone and done things that they should not have (e.g. deleted some files 'by accident') and now the rest of us ISE users have to operate in this hamstrung environment.

But I would welcome a change in thinking around the root user access.  I don't know what the BU's exact thinking is around this, but if it's concern is the level of user trustworthiness at the Linux shell, then I would beg to differ.  There have been instances where I could have saved a lot of time if I had root access - because Linux is not a mystery to anyone these days.

Cisco has other products where ADE-OS is used, but root is granted unconditionally (because it's useful in many cases).  e.g. Cisco Prime, Cisco Access Registrar, etc.

Why is ISE special in this regard?   It can't be because it's a 'security' appliance.  I have seen other AAA server products that allow shell access. 

root access should come as standard and with a large cautionary disclaimer.  If not root access, then at least a non-root user who an sudo to root if required, thus protecting oneself from oneself.  I never log into a unix system as root - that's best practice.

I would argue that since the product is far from perfect (bugs galore), that there is a greater probability of the system failing due to its inherent bugs, than the probability of a dumb user doing the wrong thing.

So why don't we get to look under the covers?