Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS or ISE restricted admins


Right now I have a 3-node ACS 5.4 (soon to be 5.5) installation which provides network device authentication to a single business units routers/switches/etc. The cluster has the large-site and advanced Logging/monitoring licenses.


Now, after running it solely within my business unit for a number of years, various groups in the corporate hierarchy outside my business unit have expressed interest in leveraging our investment to authenticate other kinds of devices controlled by different administrator groups but a sticking point is the inability to restrict ACS administrators beyond which sections of the GUI they can interact with. Because all the different groups are separate administrative entities, there is good reason to want that kind of restriction.   



Is there any way in ACS to restrict an administrators access more granularly then GUI elements? For example, Administrator A should only be able to perform CRUD operations on Device group Y, while Administrator B should only be ably to perform CRUD operations on device group Z. If not in ACS, is it possible in ISE? Device groups are the only things really impacted by this, most of the rest can be worked out politically.


I will mention that I am not really interested in using the REST API's to create my own front-end unless that really is the only way.


Hey,As of now no options for


As of now no options for this feature implementation.

A feature request from your end should get this going.



**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Cisco Employee

for Role-Based Access Control

for Role-Based Access Control in Cisco ISE

CreatePlease to create content