09-25-2010 07:59 PM - edited 03-10-2019 05:26 PM
Hi,
I am trying to work out if there is a way to create policies for individual users on ACS 5.x
For example I have an v5.2 ACS with an Internal Identity Store of 100 Users. There are 15 Network Device Groups configured at the same level (no sub levels)
I need to be able to assign individual users access to any combination of NDGs. So for example User1 would have access to devices in NDG 1, 5, 6 and 13. User2 access to NDG 5,7 and 9 etc
In a 4.x ACS I would create Groups that would define the privilege level and then on User-Level Network Access Restrictions I would select which NDGs could be permitted.
I am trying to get my head around how I can achieve the same in v5.x ACS. If there were only a few NDGs then I could create policies that would cover all possibilities but the permutations increase exponentially with the number of NDGs which makes this approach impractical.
Am I wrongly trying to apply 4.x logic to a 5.x solution? Any ideas would be greatly appreciated.
Cheers
Dave
Solved! Go to Solution.
10-13-2010 01:19 AM
Hi Dave,
For this I would suggest to add a specific condition on the Authorization policy checking for the "System:UserName".
You can do so going back to "Customize" and adding the "System:UserName" condition to the "Selected:" list of conditions.
I hope this answers your question.
Regards,
Federico
--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
10-07-2010 01:17 PM
Hi Dave,
You may try to configure a rule for each user on the authorization policy, specifying a compound condition.
E.g.: NDG:NDG1 or NDG:NDG2 or NDG:NDG3
You need to add the "compound condition" on the authz policy for your access service with the "customize" button.
Then, check this link for more details on how to configure the compound conditions:
I hope this helps.
Regards,
Federico
10-12-2010 09:35 PM
Thanks very much for the reply Frederico. I can now see how I can select different combinations NDGs using a compound condition with OR statements. What I do not get though is how I can select individual username as another condition in this policy.
In the compound policy I can select the Dictionary item of "Internal Users" as a condition but this only shows the user atributes not the username (see screenshot)
Basiically I want to be able to use the Username from a Internal Identity Store as a condition in a policy. Is this possible?
10-13-2010 01:19 AM
Hi Dave,
For this I would suggest to add a specific condition on the Authorization policy checking for the "System:UserName".
You can do so going back to "Customize" and adding the "System:UserName" condition to the "Selected:" list of conditions.
I hope this answers your question.
Regards,
Federico
--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
10-13-2010 04:54 PM
Thanks Federico - I saw that option but thought it was for the System name - Should have tested it. Thank you very much.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: