cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
752
Views
0
Helpful
3
Replies

Authorization, restrict commands

cgarcia02
Level 1
Level 1

Hello all, I have a problem, I am using ACS 5.3 I have a two set of DeviceGroups (router & switch) and two set of users (G1,G2), here is my question, how can I achieve this:

G1: can hace full access to DeviceGroup1 and DeviceGrup2 --> This works

here comes the tricky part for me....

G2: can have "read only" access to DeviceGroup1 but full access to DeviceGroup2

Have anyone asked this before or is there any document  on how to do this.

Thanks a lot!!

1 Accepted Solution

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

Hello Cesar-

You can definitely do this in ACS. When you are creating your authorization policies you can be very flexible with the way you grant and deny access to your devices. For your example, you can build rules that are based on:

1. The end user identity group (this can be both internal or AD)

2. The devices type (Switches, routers, etc)

3. The device location (Campus A, Campus B, etc)

So for example, if the user is in the network admin group then he/she will be given full access regardless of device location/type (1st screen shot) but if the user is let's say a "switch admin" then that user will be given full access to switches (2nd screen shot) but only read only access to routers (3rd screen shot)

I hope this makes sense!

Thank you for rating!

View solution in original post

3 Replies 3

nspasov
Cisco Employee
Cisco Employee

Hello Cesar-

You can definitely do this in ACS. When you are creating your authorization policies you can be very flexible with the way you grant and deny access to your devices. For your example, you can build rules that are based on:

1. The end user identity group (this can be both internal or AD)

2. The devices type (Switches, routers, etc)

3. The device location (Campus A, Campus B, etc)

So for example, if the user is in the network admin group then he/she will be given full access regardless of device location/type (1st screen shot) but if the user is let's say a "switch admin" then that user will be given full access to switches (2nd screen shot) but only read only access to routers (3rd screen shot)

I hope this makes sense!

Thank you for rating!

Hello Neno, thanks a lot this is what I was looking for, it worked !

Good to hear and glad I could help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: