04-11-2018 07:38 PM - edited 02-21-2020 10:53 AM
Hi,
I have ACS 5.8.0 and we have two AD groups,
- full_access where all network admins are added for all the network devices clients where they can configure, reload, etc
- monitor_access where like NOC, can do just like a show commands only for all the network devices
the question is, we have a seperate group, lets say PBX team where we have the network devices added already, but they need to access via ACS ONLY to the specific PBX devices (VGs routers, etc) but not all network devices/
is there any tutorial on how to allow lets say 5 people out of 50 network admins just to login to 5 routers (not all the network devices) ?
Thank you so much fof your assistance,
04-12-2018 01:48 AM
Hi,
There are many ways you can do it. One way would be use the existing hierarchy for your network devices (Device Type and Device Location are by default I think).
In your case, just edit Device Type and create a subtype like PBX.
Edit your PBX devices to have the device type set to PBX.
Create an authorization policy like:
If AD External Group = PBX_GROUP AND Network Device - Device Type = PXB then SHELL_PROFILE
Your PBX_GROUP would be allowed to connect only to those device because it won't match your upper NOC and FULL_ACCESS groups. If they try to connect to any other non-PBX device type they'll match the default no access authorization rule.
Just as a quick note, you can create your own hierarchy of device classification. It's up to you to create any other tree and use it in authorization rules.
Regards,
Octavian
04-12-2018 06:38 AM
Thank you so much for your reply,
Let me explore that option and I will set it up mostly this weekend and I will let you know asap,
If I have questions, I will let you know,
thanks again,
04-13-2018 05:15 PM
Only problem could be that if any of them belong to another AD Group that is part of additional AUTHZ Policies then they would hit those policies instead of the one you want. AUTHZ policies are checked from top to bottom (sequentially)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide