Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RBAC ISE 1.2 Data Access Permissions

Hello,

We are trying to configure ISE 1.2 patch 7 RBAC profiles.

The idea is that regional admins can only manage their users.

Under User Identity Groups we have several groups for example:

  • UK-Users
  • Brazil-Users
  • Russia-Users

Each identity is then added to the correct group based on their location / country.

 

We also have a UK-Admin group that contains the UK admins.

 

Next I crate the permissions and policy...

We have a Menu access permission (Identity Menu Access) that only allows the access to Administration > Identity Management.

We then configure a Data access permission (UK Data Access) that only allows access to  User Identity Groups > UK-Users.

Next I set a policy that says UK-Admin group can only access Identity Menu + UK Data).

 

Then test...

I create a user and add them to the UK-Admins group.

When I login as a UK admin I can see all the data across all user idnetity groups.

 

I would expect to only see the users in the UK-Users group, but I dont!

 

Confused.

 

1 REPLY

  Please refer "Role-Based

 

 

Please refer "Role-Based Permissions" from

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_admin.html#62254

 

Data Access Name
RBAC Group
Permissible Admin Groups
Permissible Network Device Groups

Super Admin Data Access

Super Admin

  • Admin Groups
  • User Identity Groups
  • Endpoint Identity Groups
  • All Locations
  • All Device Types

Policy Admin Data Access

Policy Admin

  • User Identity Groups
  • Endpoint Identity Groups

None

Identity Admin Data Access

Identity Admin

  • User Identity Groups
  • Endpoint Identity Groups

None

Network Admin Data Access

Network Device Admin

None

  • All Locations
  • All Device Types

System Admin Data Access

System Admin

  • Admin Groups

None

RBAC Admin Data Access

RBAC Admin

  • Admin Groups

None

70
Views
0
Helpful
1
Replies
CreatePlease login to create content