11-30-2020 09:58 AM
Hi Folks,
I am looking for a way to assign Identity group to users which is time bound, use-case is to assign elevated permission temporarily to a user who has standard access for Device administration in ISE.
For this I am thinking to assign user to an Identity group which provide standard access to Network devices and add him to more privileged Identity group only when it's needed for certain interval, It can be done by manually adding the identity group to user and detach when it's not needed..but is there any way to detach the identity group automatically after certain time period to avoid any slip in this manual effort ?
Solved! Go to Solution.
12-01-2020 05:23 AM
AFAIK you will have to accomplish this manually. To me that sounds like it could be quite the process. Have you considered looking into utilizing APIs? Specifically the Network Device API: Network Device API allows the client to add, delete, update, and search Network Devices. You could write a script that only allows the certain users you wish to accomplish the task, and then take away their ability to run/execute the script that consumes the API. HTH!
12-01-2020 05:23 AM
AFAIK you will have to accomplish this manually. To me that sounds like it could be quite the process. Have you considered looking into utilizing APIs? Specifically the Network Device API: Network Device API allows the client to add, delete, update, and search Network Devices. You could write a script that only allows the certain users you wish to accomplish the task, and then take away their ability to run/execute the script that consumes the API. HTH!
12-15-2020 11:39 AM
Mike's suggestion is good, as always.
See ISE ERS API Examples > Create an Endpoint with Custom Attributes for how you can do this.
Otherwise, there are no attributes in ISE to block authentication/authorization after an absolute time (e.g. December 31, 2020 @ 11:59:59 UTC).
By attach and detach I assume you mean authentication and expiration since that is the method of privilege/enablement we have to work with. You may do this in ISE with an authorization profile that only allows access for a specific amount of [session] time (600 seconds == 10 minutes for example).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide