Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Read Only Web Access to ISE Nodes

Hi All,

How can we create a Read Only account for web access of Cisco ISE nodes ? I created a new username with 'user' role but not able to login into admin web page.

Thanks & Regards,

Mujeeb

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Read Only Web Access to ISE Nodes

RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated.

RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent a network administrator from viewing the Admin Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which the network administrator is associated.

Cisco ISE allows you to create custom menu access permissions that you can map to an RBAC policy. Depending on the role of the administrators, you can allow them to access only specific menu options.

Step 1 Choose Administration > System > Admin Access > Authorization > Permissions > Menu Access.

Step 2 Click Add, and enter values for the Name and Description fields.

Step 3 Click to expand the menu item up to the desired level, and click the menu item(s) on which you want to create permissions.

Step 4 In the Permissions for Menu Access area, click Show.

Step 5 Click  Submit.

4 REPLIES
Cisco Employee

Read Only Web Access to ISE Nodes

Cisco  ISE allows you to define role-based access control (RBAC) policies that  allow or deny certain system-operation permissions to an administrator.  These RBAC policies are defined based on the identity of individual  administrators or the admin group to which they belong.

review the follwoing link for more info on this

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_admin.html

Cisco Employee

Read Only Web Access to ISE Nodes

RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated.

RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent a network administrator from viewing the Admin Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which the network administrator is associated.

Cisco ISE allows you to create custom menu access permissions that you can map to an RBAC policy. Depending on the role of the administrators, you can allow them to access only specific menu options.

Step 1 Choose Administration > System > Admin Access > Authorization > Permissions > Menu Access.

Step 2 Click Add, and enter values for the Name and Description fields.

Step 3 Click to expand the menu item up to the desired level, and click the menu item(s) on which you want to create permissions.

Step 4 In the Permissions for Menu Access area, click Show.

Step 5 Click  Submit.

New Member

Read Only Web Access to ISE Nodes

Hi Munir,

Thanks for your response. Above steps will satisfy the requirement if I want to hide or show some menu options for a specific admin user.

But my requirement is to provide 'Read Only Access' to all menu options e.g Operations, Policy, Administration etc means that specific admin user can see all menu options and configurations but should not be able to modify/delete any configuration item.

So kindly guide how I can achieve this ?

Thanks & Regards,

Mujeeb

Cisco Employee

Read Only Web Access to ISE Nodes

Hello Mujeeb

Thanks for your response. Given below is some information regarding permission, so try this one:

Permissions are assigned to admin groups by way of a policy rule table

Step 1: Examine these policies under Administration > System > Admin Access> Policies

Note:  There are two types of permission – one based on menu access and the other based on data access

Examine and upgrade these types of permissions as per your requirement under

Administration > System > Admin Access > Permissions

1738
Views
0
Helpful
4
Replies
CreatePlease to create content