Solved: Hi

fortis007 · ‎02-23-2017

Hello

I am trying to find a way to create a read-only access policy for users in ISE so when read-only admin access the ISE, it has privileges to see all policies, policy results but with no option to alter it. Reading thru Cisco doc I was unable to find the way to do this. According to Cisco doc (noted bellow) this cannot be done. I tested on different access level for menu and data but no luck preventing a change on data that admin user has rights.

Was anyone experienced the same requirements and is there a solution to create a real, true read-only access to ISE menu and data?

Appreciate feedback..

Cisco ISE Administrator Groups

......

Regardless of the level of access, any administrator account can modify or delete objects for which it has permission, on any page that the administrator can access.

.....

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0101.html?bookSearch=true

Francesco Molino · ‎02-23-2017

Hi

You're right this isn't possible. I haven't checked with Cisco ISE 2.2 yet but based on release note there is nothing like that announced.

There was a bug enhancement that's still opened and no"fix" have been provided.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur75681/?referring_site=bugquickviewredir

Sorry for that.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎02-23-2017

Hi