cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
0
Helpful
2
Replies

ISE ERS user access to a few groups?

Gustavo Novais
Level 1
Level 1

Hi,

 

I'm trying to create a simple operational interface for ISE 1.4 for helpdesk people to add endpoint mac addresses to the internal endpoint DB via REST.

I'd like to have the helpdesk access filtered (so that they can only create endpoints in a given group, not all groups), but it looks like the RBAC control in ISE for ERS users is either all or nothing.

I've created a Custom Data Access Menu Permission set and defined that a users in a group ERS Helpdesk would have access to it. On the RBAC Policy I cannot specify only a Data Access Permission, the system makes me always choose a Menu Access permission as first option.

If then I specify Data access only to endpoint group X, from a ERS Custom Data Access group, the ERS user gets its access refused to the DB.

Only when I put the user on the default ERS Admin group, with the default Super Admin Data Access  he is able to get access to the DB. 

 

I'd like to ask if any of you has managed to control the data set that is exposed to ERS besides just all access or read access, and if yes, how.

 

Thanks

 

Gustavo Novais

 

 

PS: the debug logs from ERS:

2015-09-19 09:38:47,172 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> getPathInfo=/endpointgroup
2015-09-19 09:38:47,172 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> getMethod=GET
2015-09-19 09:38:47,172 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> getRequestURL=https://10.1.156.136:9060/ers/config/endpointgroup
2015-09-19 09:38:47,172 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> getRemoteHost=10.2.10.63
2015-09-19 09:38:47,174 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> passing the filter!
2015-09-19 09:38:47,174 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter.doFilter --> getPathInfo=/endpointgroup
2015-09-19 09:38:47,174 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter.doFilter --> getMethod=GET
2015-09-19 09:38:47,174 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter.doFilter --> getRequestURL=https://10.1.156.136:9060/ers/config/endpointgroup
2015-09-19 09:38:47,174 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter.doFilter --> getRemoteHost=10.2.10.63
2015-09-19 09:38:47,174 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter : adminName = ers
2015-09-19 09:38:47,174 INFO   [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- 401Blocked by AtnAtzFilter: user is not allowed to access the requested resource.
2015-09-19 09:38:47,175 DEBUG  [ers-http-pool732][] cpm.ers.app.web.MaxThreadsLimiterFilter -:::::-  ## RateLimitFilter Servlet => Continue with the ERS Response, The current bucket count is: 49
2015-09-19 09:39:15,992 INFO   [admin-http-pool279][] api.services.server.role.RoleImpl -:admin:455184AE2B954C78C9EAD7AAECD913F8:::- Fetched List of Roles Information for entityFQN: NAC Group:NAC
2015-09-19 09:39:20,328 INFO   [admin-http-pool295][] api.services.persistance.dao.UserDAO -:admin:455184AE2B954C78C9EAD7AAECD913F8:::- Updated User Information for UserName: NAC Group:NAC:ers
2015-09-19 09:39:20,330 INFO   [admin-http-pool295][] api.services.persistance.dao.MappingDAO -:admin:455184AE2B954C78C9EAD7AAECD913F8:::- Creating new mapping with user 'NAC Group:NAC:ers' role 'NAC Group:NAC:RBACGroups:ERS Admin' rolebundle 'Global:Default' context 'Global Context:Global Context'
2015-09-19 09:39:20,333 INFO   [admin-http-pool295][] api.services.server.mapping.MappingImpl -:admin:455184AE2B954C78C9EAD7AAECD913F8:::- Deleting of users from role with name 'NAC Group:NAC:RBACGroups:ERS Filters' under contextFQN 'Global Context:Global Context',role bundle Global:Default' with transactional 'false' is done
2015-09-19 09:39:34,682 INFO   [ers-http-pool732][] cisco.cpm.nsf.impl.UserIdentityManagement -:::::- In internal authentication method to check whether the policies are matched to the logged in user groups time taken is 7
2015-09-19 09:39:34,691 DEBUG  [ers-http-pool732][] cpm.ers.app.web.MaxThreadsLimiterFilter -:::::- #### MaxThreadsFilter.doFilter --> getPathInfo=/endpointgroup
2015-09-19 09:39:34,691 DEBUG  [ers-http-pool732][] cpm.ers.app.web.MaxThreadsLimiterFilter -:::::- #### MaxThreadsFilter.doFilter --> getMethod=GET
2015-09-19 09:39:34,691 DEBUG  [ers-http-pool732][] cpm.ers.app.web.MaxThreadsLimiterFilter -:::::- #### MaxThreadsFilter.doFilter --> getRequestURL=https://10.1.156.136:9060/ers/config/endpointgroup
2015-09-19 09:39:34,691 DEBUG  [ers-http-pool732][] cpm.ers.app.web.MaxThreadsLimiterFilter -:::::- #### MaxThreadsFilter.doFilter --> getRemoteHost=10.2.10.63
2015-09-19 09:39:34,691 DEBUG  [ers-http-pool732][] cpm.ers.app.web.MaxThreadsLimiterFilter -:::::-  ## RateLimitFilter Servlet => Continue with the ERS Request, The current bucket count is: 49
2015-09-19 09:39:34,691 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> getPathInfo=/endpointgroup
2015-09-19 09:39:34,691 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> getMethod=GET
2015-09-19 09:39:34,691 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> getRequestURL=https://10.1.156.136:9060/ers/config/endpointgroup
2015-09-19 09:39:34,691 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> getRemoteHost=10.2.10.63
2015-09-19 09:39:34,693 DEBUG  [ers-http-pool732][] cpm.ers.app.web.PAPFilter -:::::- #### PAPFilter.doFilter --> passing the filter!
2015-09-19 09:39:34,693 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter.doFilter --> getPathInfo=/endpointgroup
2015-09-19 09:39:34,693 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter.doFilter --> getMethod=GET
2015-09-19 09:39:34,693 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter.doFilter --> getRequestURL=https://10.1.156.136:9060/ers/config/endpointgroup
2015-09-19 09:39:34,693 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter.doFilter --> getRemoteHost=10.2.10.63
2015-09-19 09:39:34,693 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter : adminName = ers
2015-09-19 09:39:34,693 DEBUG  [ers-http-pool732][] cpm.ers.app.web.AtnAtzFilter -:::::- #### AtnAtzFilter : adminName = ers  is ERS Admin

1 Accepted Solution

Accepted Solutions

jan.nielsen
Level 7
Level 7

There doesn't seem to be a lot of options when it comes to controlling ers api ressource access, i ended up doing my own local mapping in my web application of AD groups vs. endpoint groups access.

View solution in original post

2 Replies 2

jan.nielsen
Level 7
Level 7

There doesn't seem to be a lot of options when it comes to controlling ers api ressource access, i ended up doing my own local mapping in my web application of AD groups vs. endpoint groups access.

Hi Jan,

 

I understand what you mean... Its just strange that you have to basically provide user accounts that have super admin data access privileges to something as basic as create an endpoint in the db.

 

Thanks for your comment.

 

Gustavo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: