08-18-2013 11:16 AM - edited 03-10-2019 08:47 PM
Hi All,
How can we create a Read Only account for web access of Cisco ISE nodes ? I created a new username with 'user' role but not able to login into admin web page.
Thanks & Regards,
Mujeeb
Solved! Go to Solution.
08-19-2013 08:28 PM
RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated.
RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent a network administrator from viewing the Admin Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which the network administrator is associated.
Cisco ISE allows you to create custom menu access permissions that you can map to an RBAC policy. Depending on the role of the administrators, you can allow them to access only specific menu options.
Step 1 Choose Administration > System > Admin Access > Authorization > Permissions > Menu Access.
Step 2 Click Add, and enter values for the Name and Description fields.
Step 3 Click to expand the menu item up to the desired level, and click the menu item(s) on which you want to create permissions.
Step 4 In the Permissions for Menu Access area, click Show.
Step 5 Click Submit.
08-19-2013 05:07 AM
Cisco ISE allows you to define role-based access control (RBAC) policies that allow or deny certain system-operation permissions to an administrator. These RBAC policies are defined based on the identity of individual administrators or the admin group to which they belong.
review the follwoing link for more info on this
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_admin.html
08-19-2013 08:28 PM
RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated.
RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent a network administrator from viewing the Admin Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which the network administrator is associated.
Cisco ISE allows you to create custom menu access permissions that you can map to an RBAC policy. Depending on the role of the administrators, you can allow them to access only specific menu options.
Step 1 Choose Administration > System > Admin Access > Authorization > Permissions > Menu Access.
Step 2 Click Add, and enter values for the Name and Description fields.
Step 3 Click to expand the menu item up to the desired level, and click the menu item(s) on which you want to create permissions.
Step 4 In the Permissions for Menu Access area, click Show.
Step 5 Click Submit.
08-19-2013 11:06 PM
Hi Munir,
Thanks for your response. Above steps will satisfy the requirement if I want to hide or show some menu options for a specific admin user.
But my requirement is to provide 'Read Only Access' to all menu options e.g Operations, Policy, Administration etc means that specific admin user can see all menu options and configurations but should not be able to modify/delete any configuration item.
So kindly guide how I can achieve this ?
Thanks & Regards,
Mujeeb
08-20-2013 12:50 AM
Hello Mujeeb
Thanks for your response. Given below is some information regarding permission, so try this one:
Permissions are assigned to admin groups by way of a policy rule table
Step 1: Examine these policies under Administration > System > Admin Access> Policies
Note: There are two types of permission – one based on menu access and the other based on data access
Examine and upgrade these types of permissions as per your requirement under
Administration > System > Admin Access > Permissions
01-10-2024 05:54 AM
Hello i'm running version 3.3 and you can achieve as your request directly into the :
Step 1 Choose Administration > System > Admin Access > Administrator > Admin User
Step 2 Choose Add new Administrator
Step 3 Flag read-Only for this user.
in this case you can have an admin without any change possibility.
Thanks
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide