ACS user access setting

Unanswered Question
Aug 20th, 2009

I am trying to find solution for some type of settings in ACS.

Imagine for instance real situation as follows:

There is group "A" with 100 users. I need for 20 of them assign the access to devices in the group "B". I can't find any easy possibility how to do that.

Examples:

Enable the user section “Per User Defined Network Access Restrictions” this replace the settings of the user group and I have to add there all the devices from Group "A" to preserve their access. When Group "A" changes, I have to apply the changes to separate persons.

when I insert the device group into user group Enable privileges (level 0) and I set the Max Privilege for any AAA Client for separate persons, I will grant them level 15 privileges for all the AAA devices

When I create new user group instead Group "A" and move the users to this group, I have 2 groups for maintenance with the same privileges except the Group "B"

When I create separate level 15 privileges for every person, I have to insert there all the groups and devices from user group and I have to maintain again changes to all the people, when settings of user group changes

We often have such kind of problems. Is there any normal possibility how to add the users from this group this privileges and preserve settings from Group "A" for them?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Fri, 08/21/2009 - 00:52

Sounds like you really do need 2 groups since the access restrictions are totally different. If these 20 users always have different NARs to the other 80 users they should not be in the same group.

In essence this is the reason for shared profile components. So that you can multiple groups re-using pieces of config. It s obviously not perfect.

Im guessing you would like to see either nested groups or multi-group membership - but thats a world of pain and complexity.

Actions

This Discussion