Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
3
Replies

Regional Admin delegation for ISE distributed Setup

Go to solution
bawagne
Cisco Employee
Cisco Employee

‎11-15-2018 12:22 AM - edited ‎03-11-2019 01:52 AM

Hello,

I have a customer that intend to have a distributed deployments in several regions.

Each region will have a group of 2 PSNs.

They want to delegate admin per region.

So i want to understand down to which level can we delegate the admin right; Policy for each region? PSN for each? Data Logs for region? NAD for each region?

 

I have gone through the below document which gives details on how to give different admin right on the PAN not really my use case which more base a delegation based on location.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0101.html

 

 

Best Regards,

Babacar

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-15-2018 02:37 AM

If you intend on having multiple PSN's spread over multiple regions, but the entire deployment managed by two PAN nodes, then I am pretty sure you cannot perform RBAC (Role Based Access Control) down to PSN level.  I have only seen menu options that can be customised, and then the data access (read/write type of access) - but this applies to particular functions that span across all PSN's. 

You're thinking of how Prime Infrastructure does its hierarchical access using Operations Centre, and then using Virtual-Domains etc.  That concept does not apply to ISE.  I would hazard a guess and say you'd need to deploy multiple PAN/MnT/PSN pairs all over the place if you want that sort of role based segregation.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎11-15-2018 02:37 AM

If you intend on having multiple PSN's spread over multiple regions, but the entire deployment managed by two PAN nodes, then I am pretty sure you cannot perform RBAC (Role Based Access Control) down to PSN level.  I have only seen menu options that can be customised, and then the data access (read/write type of access) - but this applies to particular functions that span across all PSN's. 

You're thinking of how Prime Infrastructure does its hierarchical access using Operations Centre, and then using Virtual-Domains etc.  That concept does not apply to ISE.  I would hazard a guess and say you'd need to deploy multiple PAN/MnT/PSN pairs all over the place if you want that sort of role based segregation.

0 Helpful

Go to solution
bawagne
Cisco Employee
Cisco Employee
In response to Arne Bier

‎11-19-2018 12:23 AM

 Many Thanks Arne.

Babacar

0 Helpful

Go to solution
bawagne
Cisco Employee
Cisco Employee
In response to Arne Bier

‎11-19-2018 12:23 AM

 Many Thanks Arne.

Babacar

0 Helpful
Customers Also Viewed These Support Documents