cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

728
Views
0
Helpful
5
Replies
Highlighted
Cisco Employee

Sponsor Group vs LDAP Group

Hello Team, Jason,

I have the following question on ISE 2.1 p3

Let's say we have the LDAP group "A" with all users, LDAP group "B" with user Bob. User Bob is also member of group A, since this group contains all users.

Sponsor Group ALL_ACCOUNTS has mapping to LDAP group B;

Sponsor Group OWN_ACCOUNTS has mapping to LDAP group A;

Sponsor Group ALL_ACCOUNTS is set to Approve and view requests from self-registering guests with option Any pending accounts selected.

Sponsor Group OWN_ACCOUNTS is set to Approve and view requests from self-registering guests with option selected.

When Bob which is member of both group logs into sponsor portal, he can see only Only pending accounts assigned to this sponsor.

My expectation will be since Bob is member of both groups, so less restrictions will be applied and he should see Any pending account.

Please let me know if my expectations are right, so I will file a bug.

The issue is the same if we use local ISE groups.

Thanks!

small icon is indication that You can only limit the viewing/approving of pending accounts to the sponsor who is associated with the request if the sponsor belongs to an ISE-internal or a SAML identity provider. For AD/LDAP please choose the first option


So looks like it is not supported with ISE 2.1 at all. Is is correct?



Eugene Korneychuk

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

The general intent is that when a sponsor matches multiple groups, the sponsor should get the broadest set of permissions allowed by the matching groups.

For example:

Sponsor Can Manage

Only accounts sponsor has created

Accounts created by members of this sponsor group

All guest accounts

If one matching group has “Only accounts sponsor as created” selected, and another matching group has “All guest accounts” selected, then the sponsor is able to manage all guest accounts.

For:

Approve and view requests from self-registering guests

Any pending accounts

Only pending accounts assigned to this sponsor  

it sounds like there is a defect here.  If any matching group has “Any pending accounts” selected, then the sponsor should have that permission.  If that’s not the case, we need to fix it.  I don’t think CSCur94729 is the right defect for this; a more specific defect should be created for this issue.

View solution in original post

5 REPLIES 5
Highlighted
Contributor

I am seeing the same behavior with ISE 2.2

We have opened a TAC Case and they stated that this is how ISE works.  Bug ID CSCur94729 was reflected in the case.

Are there any work around options to achieve the desired behavior while this feature (bug) is resolved?

Highlighted
Cisco Employee

The general intent is that when a sponsor matches multiple groups, the sponsor should get the broadest set of permissions allowed by the matching groups.

For example:

Sponsor Can Manage

Only accounts sponsor has created

Accounts created by members of this sponsor group

All guest accounts

If one matching group has “Only accounts sponsor as created” selected, and another matching group has “All guest accounts” selected, then the sponsor is able to manage all guest accounts.

For:

Approve and view requests from self-registering guests

Any pending accounts

Only pending accounts assigned to this sponsor  

it sounds like there is a defect here.  If any matching group has “Any pending accounts” selected, then the sponsor should have that permission.  If that’s not the case, we need to fix it.  I don’t think CSCur94729 is the right defect for this; a more specific defect should be created for this issue.

View solution in original post

Highlighted

I can confirm that a sponsor that matches both of the options of "Only pending accounts assigned to this sponsor" and "Any pending accounts" only really sees the "Only pending accounts assigned to this sponsor" Guests.  If I disable the Sponsor Group that has the "Only option" then the Sponsor can see all accounts.  If I disable the Sponsor Group with the "Any option" of course I am limited to just Guests that referenced the Sponsor.    Of course TAC said that this was not a bug but a feature request.

Highlighted

I talked to the developer on this feature and they said it’s a bug. Please ask for one to be open.

Highlighted

Will do.  Thanks for verification that this is a bug.