cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3255
Views
17
Helpful
6
Replies

ISE RBAC for Policy Set so team can view but not edit

Scott Fella
Hall of Fame
Hall of Fame

I'm running ISE 3.0 and and older version of ISE 2.2 which I have ran into some rbac issues.  On ISE 3.0, is it possible to provide menu access to view the policy sets but not make any changes?  I tried a few different ways, but seems to either allow changes or I see permission denied.

Thanks,

-Scott

-Scott
*** Please rate helpful posts ***
1 Accepted Solution

Accepted Solutions

Unfortunately, that is not currently supported.

View solution in original post

6 Replies 6

hslai
Cisco Employee
Cisco Employee

Need a separate user login as a "read-only" admin user, which is introduced in ISE 2.6.

hslai,

Any way to allow access to some things like endpoints/endpoint groups but read-only with everything else?  If not, might just have to create a separate user for them to modify their endpoint and groups.

-Scott
*** Please rate helpful posts ***

Unfortunately, that is not currently supported.

thomas
Cisco Employee
Cisco Employee

 

 

 

These are your ISE Admin Group options:

  • Customization Admin: Access Permission to Guest Menu and Device Portal Management.
    ERS Admin: Full access permission to External RESTful Services (ERS) APIs. Admins assigned to this admin group can perform CRUD (POST, PUT, DELETE, and GET) operations.
  • ERS Operator: Read-only access permission to the External RESTful Services (ERS) APIs. Admins assigned to this admin group can only perform GET operation.
  • Elevated System Admin: Access permission for Operations tab. Includes System and data access permission for Admin Groups and Admin Users except Super Admin group and users.
  • Helpdesk Admin: Access permission for Operations tab.
  • Identity Admin: Access permission for Operations tab. Includes Identity Management and data access permission for User Identity Groups and Endpoint Identity Groups.
  • MnT Admin: Access permission for Operations tab.
  • Network Device Admin: Access permission for Operations tab. Includes Network Resources and data access permission for All Locations and All Device Types.
  • Policy Admin: Access permission for Operations and Policy tabs. Includes System and Identity Management and data access permission for User Identity Groups and Endpoint Identity Groups.
  • RBAC Admin: Access permission for Operations tab. Includes System and data access permission for Admin Groups.
  • Read Only Admin: Access Permission for admin with read-only functionality
  • SPOG Admin: This is the group for SPOG Admin to use the APIs for export and import
  • Super Admin: Access permission for Operations, Policy and Administration tabs. Includes data access permission for Admin Groups, User Identity Groups, Endpoint Identity Groups, All Locations and All Device Types.
  • System Admin: Access permission for Operations tab. Includes System and data access permission for Admin Groups.

 

You may also create your own useing the ISE RBAC Policy in ISE 2.6+:

Create Role Based Access Control policies by configuring rules based on Admin groups,Menu Access permissions (menu items), Data Access permissions (identity group data elements) and other conditions. Note that multiple Menu/Data Access permissions are not allowed on a single policy. You can copy the default policies shown below,then modify them as needed. Note that system-created and default policies cannot be updated, and default policies cannot be deleted.For decision making, all applicable policies will be evaluated. The subject's permissions will be the aggregate of all permissions from each applicable policy.Permit overrides Deny. (The policies are displayed in alphabetical order of the policy name).
image.png

Hello! Is it possible to create a policy for read only access for every tabs except Operations Tab? I need to give a user an access to download logs and reports but the rest tabs must be the read only access.

I think you need to try duplicate one of the available and try that options and test using user that belong to group.

never tried myself some read and some write access.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help