cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2096
Views
5
Helpful
6
Replies

ISE Sponsor Groups with different privileges

Leoni Wartung
Level 1
Level 1

Hello Community, 

 

we are operation a ISE deployment for all of our sites araund the world. At the moment we are chanign our Guest Workflow to a Sponsor based deployment. 

Originally it was planned that every user can sponsor guest accounts but the requirements chagened. 

 

Now we have the the requirement that we have to controll it on a country basis.

 

We need for every country a Admin Sponsor group which can see all Accounts which are created in that Area. And the User should only see his Accounts. 

 

When i create a new sponsor group on a country Basis everybody how is in the group can see all accounts. Is it possible to solve that problem?

 

Regards Stefan 

6 Replies 6

NiTech
Level 1
Level 1

As per my understanding all sponsor users can saw all the guest account.

Leoni Wartung
Level 1
Level 1

Yes that is possible, but i want, that the Manager of a Region can see all Guest Accounts from that Region. But the Sponsors should only see there created Accounts. 

 

Lets say, i have only one region, than its not a problem. But i have lets say 20 Regions. 

 

Regards Stefan 

Hi Leoni,

Maybe you could try to create multiple standard sponsor groups, in which each user would be able to see only his own accounts. You would achieve this by creating and configuring multiple locations, and option Sponsor Can Manage: Only accounts sponsor has created.

You would then create manager sponsor group, which would be combination of local location, and option Sponsor Can Manage: Accounts created by members of this sponsor group. Main idea is to use combination of Location and "Sponsor Can Manage" options.

I never used this combination, but logically, it might work.

BR,

Milos

Leoni Wartung, Milos has the right idea. Below is an example:

 

User Identity Groups

  • us-sponsors
  • us-managers
  • uk-sponsors
  • uk-managers
  • cn-sponsors
  • cn-managers

Network Access Users

For each region, sponsors will be in the sponsors group of that region but managers will be in both the sponsors and the managers groups of the region.

 

Sponsor Groups

  • us-sponsors : Duplicate of OWN_ACCOUNTS (default) but mapped us-sponsors as the only member
  • us-managers: Duplicate of GROUP_ACCOUNTS (default) but mapped us-managers as the only member
  • uk-sponsors : Duplicate of OWN_ACCOUNTS (default) but mapped uk-sponsors as the only member
  • uk-managers: Duplicate of GROUP_ACCOUNTS (default) but mapped uk-managers as the only member
  • cn-sponsors : Duplicate of OWN_ACCOUNTS (default) but mapped cn-sponsors as the only member
  • cn-managers: Duplicate of GROUP_ACCOUNTS (default) but mapped cn-managers as the only member

 

 

 

thomas
Cisco Employee
Cisco Employee

Create your sponsor accounts for each country and be sure to select:

 

⦿ 

Hello Thomas, 

 

yes, i know that option but than all users see the guest accounts and not only the Manager of the region. 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: