I am trying to work out if there is a way to create policies for individual users on ACS 5.x
For example I have an v5.2 ACS with an Internal Identity Store of 100 Users. There are 15 Network Device Groups configured at the same level (no sub levels)
I need to be able to assign individual users access to any combination of NDGs. So for example User1 would have access to devices in NDG 1, 5, 6 and 13. User2 access to NDG 5,7 and 9 etc
In a 4.x ACS I would create Groups that would define the privilege level and then on User-Level Network Access Restrictions I would select which NDGs could be permitted.
I am trying to get my head around how I can achieve the same in v5.x ACS. If there were only a few NDGs then I could create policies that would cover all possibilities but the permutations increase exponentially with the number of NDGs which makes this approach impractical.
Am I wrongly trying to apply 4.x logic to a 5.x solution? Any ideas would be greatly appreciated.
For this I would suggest to add a specific condition on the Authorization policy checking for the "System:UserName".
You can do so going back to "Customize" and adding the "System:UserName" condition to the "Selected:" list of conditions.
I hope this answers your question.
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.