cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2035
Views
0
Helpful
2
Replies

Time Bound Elevated Permission to Network Access User in ISE

VipulAgr
Level 1
Level 1

Hi Folks,

I am looking for a way to assign Identity group to users which is time bound, use-case is to assign elevated permission temporarily to a user who has standard access for Device administration in ISE.

For this I am thinking to assign user to an Identity group which provide standard access to Network devices and add him to more privileged Identity group only when it's needed for certain interval, It can be done by manually adding the identity group to user and detach when it's not needed..but is there any way to detach the identity group automatically after certain time period to avoid any slip in this manual effort ? 

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

AFAIK you will have to accomplish this manually.  To me that sounds like it could be quite the process.  Have you considered looking into utilizing APIs?  Specifically the Network Device API:  Network Device API allows the client to add, delete, update, and search Network Devices.  You could write a script that only allows the certain users you wish to accomplish the task, and then take away their ability to run/execute the script that consumes the API.  HTH!

View solution in original post

2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

AFAIK you will have to accomplish this manually.  To me that sounds like it could be quite the process.  Have you considered looking into utilizing APIs?  Specifically the Network Device API:  Network Device API allows the client to add, delete, update, and search Network Devices.  You could write a script that only allows the certain users you wish to accomplish the task, and then take away their ability to run/execute the script that consumes the API.  HTH!

thomas
Cisco Employee
Cisco Employee

Mike's suggestion is good, as always.

See ISE ERS API Examples > Create an Endpoint with Custom Attributes for how you can do this.

Otherwise, there are no attributes in ISE to block authentication/authorization after an absolute time (e.g. December 31, 2020 @ 11:59:59 UTC).

By attach and detach I assume you mean authentication and expiration since that is the method of privilege/enablement we have to work with. You may do this in ISE with an authorization profile that only allows access for a specific amount of [session] time (600 seconds == 10 minutes for example).

image.png