ISE RBAC for RO access to network resources

bgoulet00 · ‎03-20-2025

i'm trying to configure a role that has super admin access in every way except the ability to edit/add/delete devices. i feel like this should be simple but i've been playing with it for a while with no success.

menu access permissions do not appear to be granular enough to control removing the edit/add/delete buttons so i've focused on the data access permissions. in there i don't' see 'devices' specifically but there is a section for network device groups which i have set to RO at that parent level. users in the role are still able to edit/add/delete devices though.

bgoulet00 · ‎03-20-2025

after some further tinkering i realize i misunderstood the 'admin groups' section of data access privileges and the role was inheriting stuff from other groups. after changing some groups to no access it is mostly working for local test group/user but not for AD groups.

local test user -> test local group -> RBAC mapped to super admin menu access and custom restricted data access

properly gets read only access to devices
read only access to RBAC policy (i could live with this)
seems to have all other rights from what i can tell

external AD group -> mapped to ISE group -> RBAC mapped to super admin menu access and custom restricted data access

still has full super-admin access. i'm not sure where it is picking those privileges up from