I have ACS setup with a device group that covers a large number of devices on my network and I apply rights to this as necessary.
But now I need to give a group of users access to a single device that is included within this group. I can't create a new device group to cover this single device as the address overlaps. Is there a way I do this without having to split up my existing device group into at least 3.
This can be achieved by using Network Access Restriction (NAR) in ACS.
By NAR you can Permit/deny access user/group based on Device/NDG/NAF.
Following link can give you more detail on it:
Note: if you don't get the option for NAR enable it from interface configuration.