Cisco Identity Services Engine User Guide, Release 1.2
Navigating the Admin portal
Downloads: This chapterpdf (PDF - 541.0KB) The complete bookPDF (PDF - 10.09MB) | Feedback

Table of Contents

Navigating the Admin portal

Admin Portal

Cisco ISE Dashboard

Setup Assistant and Task Navigators

Setup Assistant

Cisco ISE Licensing Impact on Setup Assistant

Running the Setup Assistant

Setup Assistant Overwrites Previous Configurations

Identify Policy Requirements Page in Setup Assistant

Configure Network Access Service Page in Setup Assistant

Select Network Device Types Page in Setup Assistant

Review and Confirm Your Choices Page in Setup Assistant

Task Navigators

Filtering Data on Listing Pages

Data Filters in Listing Pages

Customizing the Displayed Field Attributes

Filtering Data by Field Attributes Using the Quick Filter

Filtering Data by Conditions Using the Advanced Filter

Creating Custom Filters

Cisco ISE Internationalization and Localization

Supported Languages

End-User Web Portal Localization

Support for UTF-8 Character Data Entry

UTF-8 Credential Authentication

UTF-8 Policies and Posture Assessment

Cisco NAC and MAC Agent UTF-8 Support

UTF-8 Support for Messages Sent to Supplicant

Reports and Alerts UTF-8 Support

UTF-8 Character Support in the Portals

UTF-8 Support Outside the User Interface

Support for Importing and Exporting UTF-8 Values

UTF-8 Support on REST

UTF-8 Support for Identity Stores Authorization Data

Admin Features Limited by Role-Based Access Control Policies

Navigating the Admin portal

This chapter introduces the Cisco Identity Services Engine (ISE) Admin portal and contains the following topics:

Admin Portal

The Admin portal is an administration console from which you can manage various identity services. Figure 2-1 shows the main elements of this portal.

Figure 2-1 Admin portal

 

 

1

Menu Bar

Access tools for viewing, monitoring, and managing different Cisco ISE options:

  • Home: Access the dashboard, which is a real-time view of all the services running in the Cisco ISE network.
  • Operations: Access tools for monitoring real-time alarms and live authentications, querying historical data through reports, and troubleshooting network services.
  • Policy: Access tools for managing network security in the areas of authentication, authorization, profiling, posture, and client provisioning.
  • Administration: Access tools for managing Cisco ISE nodes, licenses, certificates, network devices, users, endpoints, and guest services.
2

Top Right Panel

View the connected Cisco ISE node. Click the appropriate options to edit account information, log out, and provide feedback to Cisco.

3

Search

Search for endpoints and display their distribution by profiles, failures, identity stores, location, device type, and so on.

4

Setup Assistant

Access wizard to create a basic configuration to demonstrate Cisco ISE feature functionality in your network.

5

Context-Sensitive Help

Access help for the currently displayed page.

6

Help

Access the complete Cisco ISE online Help system and the Task Navigator, which provides visual guides for navigating through procedures whose tasks span multiple screens.

7

Notifications

Hover the mouse cursor over this option to view a summary of notifications.

Cisco ISE Dashboard

The Cisco ISE Dashboard displays live consolidated and correlated statistical data that is is essential for effective monitoring and troubleshooting. Dashboard elements show activity over 24 hours, unless otherwise noted. Figure 2-2 shows some of the information available on the Cisco ISE Dashboard.

Figure 2-2 Cisco ISE User Dashboard

 

 

1

Dashlets

Dashboard element that displays statistical summaries about the devices and user accessing the network. In some dashlets, colored icons are displayed prior to the device names to convey the system health:

  • Green = Healthy
  • Yellow = Warning
  • Red = Critical
  • Gray = No information
2

Sparklines

Depict trends over time.

3

Stacked bar charts

Display the distribution of parameters using color as the dividing element, so you can see where one parameter ends and another begins. Display is limited to the top 10 distributions. In general, stacked bar charts use color to mark the boundary points between one data measurement and another.

4

Metric meters

Summarize the most important statistics regarding the devices that are accessing the network. Metric meters provide an at-a-glance view of network health and performance. You can click the number displayed above the metrics meter to view more information about the devices.

Setup Assistant and Task Navigators

The Setup Assistant and Task Navigators provide efficient configuration of Cisco ISE on your network. The Setup Assistant provides a basic Cisco ISE configuration based on your network settings and policies, and Task Navigators provide a visual path through the configuration tasks.

Setup Assistant

The Setup Assistant guides you through a series of questions in a wizard-like interface retaining your responses and using them to configure Cisco ISE directly. It enables you to set up a basic working Cisco ISE configuration as a proof-of-concept for your network. Your answers to the questions impact these Cisco ISE features: authentication, authorization, profiling, posture, client provisioning, guest services, and support for personal devices.

Cisco ISE Licensing Impact on Setup Assistant

Setup Assistant functionality depends on the Cisco ISE license that you have applied to your configuration.

 

Cisco ISE License
Identify Policy Requirements
Configure Network Access Services
Select Network Device Types

Basic

The posture, endpoint profiling, and personal devices options are not available.

Advanced

If you choose wired + monitor, the guest and posture choices are disabled on the next page.

If you choose wireless and wired + monitor, the guest and posture choices on the next page impact wireless only.

The guest and posture choices are not available if you select wired + monitor on the previous page.

If you choose wired only on the first page, the wireless LAN controller (WLC) information does not appear.

If you choose wireless only on the first page, switch information does not appear.

Wireless

The wired option is not available.

Switch information does not appear.

Running the Setup Assistant

When you start Cisco ISE 1.2 for the first time, you are prompted to run the Setup Assistant. If you choose not to run it then, you can run it again later.

Before You Begin

To perform this task, you must be a Super Admin. You can only run the Setup Assistant on the standalone or primary Administration node.


Step 1 Click Setup Assistant in the upper-right corner of the Admin portal.

Step 2 Follow the on-screen instructions to complete the configuration.


 

Setup Assistant Overwrites Previous Configurations

Each time you run the Setup Assistant, Cisco ISE overwrites previous settings, which can critically impact on your configuration in the following ways:

  • All authentication, authorization, client provisioning, and posture policies are deleted and replaced, including any that you added without using the Setup Assistant.
  • Other settings, such as policy elements and web portal customizations, are overwritten with any newly specified values. If you do not enter anything for the optional settings, the Setup Assistant resets them to their default values.

Identify Policy Requirements Page in Setup Assistant

Wired or Wireless

You must indicate whether you want to support wired or wireless connections, or both. If you are using a Cisco ISE Wireless License, the wired option is unavailable.

These choices impact the policies that Cisco ISE creates, and also dictate other required responses. For example, if you choose wired, you can also indicate whether your network supports IP phones.

You must also indicate whether or not the wired connections are monitored or if network access must be enforced based on compliance:

  • Monitor generates non-compliance logs and reports, but does not require that users or devices comply with the defined policies.

In monitoring mode, posture and guest policies are ignored. If you support wired connections in monitoring mode, the Setup Assistant disables the guest and posture choices on the next page to prevent unauthorized computer and guest access.

If you support wired and wireless connections, you can enable the guest and posture features, but they will apply only to the wireless connections. The wireless connections always runs in enforcement mode.

  • Enforce requires compliance with the defined policies.

Protected Subnets

You must indicate which subnets should are inaccessible by guests or noncompliant endpoints. This information is used when creating the downloadable ACLs.

Configure Network Access Service Page in Setup Assistant

User Authentication

Users belonging to these groups will be granted network access as employees and be allowed to create guest accounts using the Sponsor portal.

  • Internal users—If you choose to create an internal user, Cisco ISE creates a single user using the name you enter and assigns the user to the default Employee and SponsorAllAccount user identity groups. You can verify this in the Administration > Identity Management > Identities > Users page after setup completes.

Because the Setup Assistant provides only the basic Cisco ISE configuration to demonstrate its functionality in your network, you cannot use it to import additional users into the internal user database. You can add additional internal users using the Admin portal after you complete the Setup Assistant.

  • Active Directory—If you choose to join the Active Directory domain, Cisco ISE adds the indicated AD domain and joins to it. After joining the domain, you must choose an Active Directory group. All users belonging to this group will be able to authenticate using Dot1x and create guests using the Sponsor portal. You can verify this from the Administration > Identity Management > External Identity Sources > Active Directory page after setup completes.

Posture Compliance

When you enable posture using the Setup Assistant, Cisco ISE checks for antispyware and antivirus definitions and installations on connected endpoints.

You must indicate whether you want to assess or assess and enforce posture compliance for employees and guests:

  • Assess generates reports about noncompliant users, but allows them to be authenticated.
  • Enforce prevents authentication.

If you want to force Cisco ISE to redirect noncompliant endpoints to a remediation server before granting network access, enter the proxy server IP address.

If you enable posture compliance, Cisco ISE will:

  • Download the Cisco NAC agents and update the Policy > Policy Elements > Results > Client Provisioning > Resources page.
  • Create the downloadable ACLs on the Policy > Policy Elements > Results > Authorization > Downloadable ACLs page. All DACLs created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_DACL_PrePostureWired.
  • Create authorization profiles on the Policy > Policy Elements > Results > Authorization > Authorization Profiles page. Authorization profiles created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_profile_Byod_CWA.
  • Create authorization conditions on the Policy > Policy Elements > Conditions > Simple Conditions and Policy > Policy Elements > Conditions > Compound Conditions pages. Authorization conditions created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_condition_Android_Devices or AutoGen_condition_GuestWired.
  • Create client provisioning policies on the Policy > Client Provisioning page. Client provisioning policies created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_Provisioning.
  • Download posture updates from the Administration > System > Settings > Posture > Updates page.
  • Create posture policies on the Policy > Posture page. Posture policies created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_Policy_Check_For_AS_Definition_Mac_Employee.
  • Create authorization policies on the Policy > Authorization page. Authorization policies created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_policy_Registered_Wireless_Devices.
  • Create authentication policies on the Policy > Authentication page. Authorization policies created by the Setup Assistant include the prefix AutoGen, such as: AutoGen_AuthNPolicy_MAB.

Endpoint Profiling

Endpoint profiling discovers, identifies, and determines the capabilities of all attached endpoints on your network. If you enable endpoint profiling, Cisco ISE will:

  • Enable these endpoint profiling features on the Administration > System > Deployment > Edit Node > Profiling Configuration page.

DHCP

RADIUS

Network Scan (NMAP)

SNMP Query Probes

  • Configure SNMP on the Administration > Network Resources > Network Devices page.

Proxy Settings

Cisco ISE uses the proxy server to download Cisco-defined posture checks and client provisioning resources required for assessing posture of endpoints and allowing personal devices on the network. If you configure these proxy settings, Cisco ISE will update the settings on the Administration > System > Settings > Proxy page.

Guest User Support

To support guest users, you must create a sponsor user. Cisco ISE creates a single user using the name you enter and assigns the user to the default SponsorAllAccount user identity group, which defines the user as a sponsor user. You can verify this from the Administration > Identity Management > Identities > Users page after setup completes.

If you add a simplified URL, Cisco ISE updates the Portal URL settings on the Administration > Web Portal Management > Settings > General > Ports page.

Support for Personal Devices

You can add a simplified URL for employees to use to access the My Devices portal, and Cisco ISE updates the Portal URL settings on the Administration > Web Portal Management > Settings > General > Ports page.

Web Portal Customizations

You can upload an image to use as a custom logo for the Sponsor, Guest, and My Devices portals. Cisco ISE also will upload the image to the Administration > Web Portal Management > Settings > General > Portal Theme page.

Select Network Device Types Page in Setup Assistant

Switches and Wireless Controllers

Cisco ISE adds the the switches and wireless controllers to the Administration > Network Resources > Network Devices page, updates the SNMP settings, and adds the RADIUS shared secret to the Authentication Settings option.

Depending on the choices you made previously, you must configure the switches and wireless controllers. Click the Wired or Wireless Network Diagram links to display sample network topologies that illustrate the required configuration details.

Review and Confirm Your Choices Page in Setup Assistant

Review Your Selection

You can verify your responses to each of the questions.

Network Device Configuration

Configuration details for each configured switch and WLC display separately. Cisco ISE does not automatically update these configurations on the devices. If you want to completely replace the current device configuration, copy and paste the entire configuration. Alternatively, you can just copy the specific sections with the configuration changes you need. You can access the most current copy of the settings after exiting the Setup Assistant by choosing Setup Assistant > View network device configuration.

ISE Configuration

The ISE Configuration tab displays details about each setting, policy, profile, DACL, and network device added to Cisco ISE.

Task Navigators

Task Navigators provide a visual path through the configuration tasks, which span multiple pages. The linear presentation visually outlines the order in which the tasks should be completed and provides direct links to the screens where the tasks are performed. It is purely a visual map that does not retain any information about the tasks as you complete them.

You can choose from the following Task Navigators:

  • Setup—Perform the first part of the Cisco ISE setup process.
  • Profiling—Profile endpoints.
  • Basic User Authorization—Establish basic user authorization.
  • Client Provisioning and Posture—Configure client provisioning and posture.
  • Basic Guest Authorization—Establish basic guest authorization.
  • Advanced User Authorization—Establish user authorization, along with client provisioning and posture.
  • Advanced Guest Authorization—Establish guest authorization, along with client provisioning and posture.
  • Device Registration—Configure users’ devices.

Filtering Data on Listing Pages

Listing pages include tools that enable you to filter and customize the displayed information:

Data Filters in Listing Pages

You can customize and filter the information that displays in the listing pages using the settings and filter icons.

Figure 2-3 Data Filters Example

 

Customizing the Displayed Field Attributes

You can customize the field attributes displayed in the listing pages. The available and default options vary based on the specific listing page.


Step 1 Click the Settings icon and choose Columns.

Step 2 Select the items to add or remove. A checkmark displays next to the selected items.

Step 3 Click Close.


 

Related Topics

Data Filters in Listing Pages

Filtering Data by Field Attributes Using the Quick Filter

The Quick Filter allows you to enter a value for any of the field attributes displayed in the listing page, refreshes the page, and lists only those records that match your filter criteria.


Step 1 Click the Show drop-down list and choose Quick Filter.

Step 2 Enter search criteria in one or more of the attribute fields, and the entries that match the specified attributes display automatically.


 

Related Topics

Data Filters in Listing Pages

Filtering Data by Conditions Using the Advanced Filter

The Advanced Filter allows you to filter information based on specified conditions, such as, First Name = Mike and User Group = Employee. You can specify more than one condition.


Step 1 Click the Show drop-down list and choose Advanced Filter.

Step 2 Specify search the search attributes, such as fields, operators, and values from the Filter menus.

Step 3 Click + to add additional conditions.

Step 4 Click Go to display the entries that match the specified attributes.


 

Related Topics

Data Filters in Listing Pages

Creating Custom Filters

You can create and save custom filters and modify the filter criteria in preset filters. Custom filters are not saved in the Cisco ISE database. You can only access them using the same computer and browser used to create them.


Step 1 Click the Show drop-down list and choose Advanced Filter.

Step 2 Specify the search attributes, such as fields, operators, and values from the Filter menus.

Step 3 Click + to add additional conditions.

Step 4 Click Go to display the entries that match the specified attributes.

Step 5 Click the Save icon to save the filter.

Step 6 Enter a name and click Save. The filter now appears in the Show drop-down list.


 

Related Topics

Cisco ISE Internationalization and Localization

Cisco ISE internationalization adapts the user interface for supported languages. Localization of the user interface incorporates locale-specific components and translated text.

In Cisco ISE, internalization and localization support focuses on support for non-English text in UTF-8 encoding to the end-user facing portals and on selective fields in the Admin portal.

This section contains the following topics:

Supported Languages

Cisco ISE, provides localization and internalization support for the following languages and browser locales:

 

Language
Browser Locale

Chinese traditional

zh-tw

Chinese simplified

zh-cn

Czech

cs-cz

Dutch

nl-nl

English

en

French

fr-fr

German

de-de

Hungarian

hu-hu

Italian

it-it

Japanese

ja-jp

Korean

ko-kr

Polish

pl-pl

Portuguese (Brazil)

pt-br

Russian

ru-ru

Spanish

es-es

End-User Web Portal Localization

The Guest, Sponsor, My Devices, and Client Provisioning portals are localized into all supported languages and locales. This includes text, labels, messages, field names, and button labels. If the client browser requests a locale that is not mapped to a template in Cisco ISE, the portals display content using the English template.

Using the Admin portal, you can modify the fields used for the Guest, Sponsor, and My Devices portals for each language individually, and you can add additional languages. Currently, you cannot customize these fields for the Client Provisioning portal.

You can further customize the Guest portal by uploading HTML pages to Cisco ISE. When you upload customized pages, you are responsible for the appropriate localization support for your deployment. Cisco ISE provides a localization support example with sample HTML pages, which you can use as a guide. Cisco ISE provides the ability to upload, store, and render custom internationalized HTML pages.


Note NAC and MAC agent installers and WebAgent pages are not localized.


Related Topics

Support for UTF-8 Character Data Entry

Cisco ISE fields that are exposed to the end user (through the Cisco NAC agent, or supplicants, or through the Sponsor, Guest, My Devices, and Client Provisioning portals) support UTF-8 character sets for all languages. UTF-8 is a multibyte-character encoding for the unicode character set, which includes many different language character sets, such as Hebrew, Sanskrit, and Arabic.

Character values are stored in UTF-8 in the administration configuration database, and the UTF-8 characters display correctly in reports and user interface components.

Related Topics

UTF-8 Character Support in the Portals.

UTF-8 Credential Authentication

Network access authentication supports UTF-8 username and password credentials. This includes RADIUS, EAP, RADIUS proxy, RADIUS token, and web authentication from the Guest and Administrative portal login authentications. UTF-8 support for user name and password applies to authentication against the local identity store as well as external identity stores.

UTF-8 authentication depends on the client supplicant that is used for network login. Some Windows native supplicants do not support UTF-8 credentials. If you are experiencing difficulties with a Windows native supplicant, the following Windows hotfixes may be helpful:


Note RSA does not support UTF-8 users, hence UTF-8 authentication with RSA is not supported. Likewise, RSA servers, which are compatible with Cisco ISE 1.2, do not support UTF-8.


UTF-8 Policies and Posture Assessment

Policy rules in Cisco ISE that are conditioned on attribute values may include UTF-8 text. Rule evaluation supports UTF-8 attribute values. In addition, you can configure conditions with UTF-8 values through the Administrative portal.

Posture requirements can be modified as File, Application, and Service conditions based on a UTF-8 character set. This includes sending UTF-8 requirement values to the NAC agent. The NAC agent then assesses the endpoint accordingly, and reports UTF-8 values, when applicable.

Cisco NAC and MAC Agent UTF-8 Support

The Cisco NAC agent supports internationalization of text, messages, and any UTF-8 data that is exchanged with Cisco ISE. This includes requirement messages, requirement names, and file and process names that are used in conditions.

The following limitations apply:

  • UTF-8 support applies to Windows-based NAC agents only.
  • Cisco NAC and MAC agent interfaces currently do not support localization.
  • WebAgent does not support UTF-8 based rules and requirements.
  • If an acceptable use policy (AUP) is configured, the policy pages are provided on the client side, based on the browser locale and the set of languages that are specified in the configuration. You are responsible for providing a localized AUP bundle or site URL.

UTF-8 Support for Messages Sent to Supplicant

RSA prompts and messages are forwarded to the supplicant using a RADIUS attribute REPLY-MESSAGE, or within EAP data. If the text contains UTF-8 data, it is displayed by the supplicant, based on the client’s local operating system language support. Some Windows-native supplicants do not support UTF-8 credentials.

Cisco ISE prompts and messages may not be in sync with the locale of the client operating system on which the supplicant is running. You must align the end-user supplicant locale with the languages that are supported by Cisco ISE.

Reports and Alerts UTF-8 Support

Monitoring and troubleshooting reports and alerts support UTF-8 values for relevant attributes, for Cisco ISE supported languages, in the following ways:

  • Viewing live authentications
  • Viewing detailed pages of report records
  • Exporting and saving reports
  • Viewing the Cisco ISE dashboard
  • Viewing alert information
  • Viewing tcpdump data

UTF-8 Character Support in the Portals

Many more character sets are supported in Cisco ISE fields (UTF-8) than are currently supported for localizations in portals and end-user messages. For example, Cisco ISE does not support right-to-left languages, such as Hebrew or Arabic, even though the character sets themselves are supported.

The following table lists the fields in the Admin and end-user portals that support UTF-8 characters for data entry and viewing, with the following limitations:

  • Cisco ISE does not support administrator passwords with UTF-8 characters.
  • Cisco ISE does not support UTF-8 characters in certificates.

 

Table 2-1 Admin Portal UTF-8 Character Fields

Admin Portal Element
UTF-8 Fields

Network access user configuration

  • User name
  • First name
  • Last name
  • e-mail

User list

  • All filter fields
  • Values shown on the User List page
  • Values shown on the left navigation quick view

User password policy

  • Advanced > Password may not contain characters

Some languages do not have uppercase or lower case alphabets. If your user password policy requires the user to enter a password with uppercase or lowercase characters, and if the user’s language does not support these characters, the user cannot set a password. For the user password field to support UTF-8 characters, in the user password policy page (Administration > Identity Management > Settings > User Password Policy), you must uncheck the following options:

  • Lowercase alphabetic characters
  • Uppercase alphabetic characters

Administrator list

  • All filter fields
  • Values shown on the Administrator List page
  • Values shown on the left navigation quick view

Admin login page

  • User name

RSA

  • Messages
  • Prompts

RADIUS token

  • Authentication tab > Prompt

Posture Requirement

  • Name
  • Remediation action > Message shown to Agent User
  • Requirement list display

Posture conditions

  • File condition > File path
  • Application condition > Process name
  • Service condition > Service name
  • Conditions list display

Guest and My Devices settings

  • Sponsor > Language Template: all supported languages, all fields
  • Guest > Language Template: all supported languages, all fields
  • My Devices >Language Template: all supported languages, all fields

System settings

  • SMTP Server > Default e-mail address

Operations > Alarms > Rule

  • Criteria > User
  • Notification > e-mail Notification user list

Operations > Reports

  • Operations > Live Authentications > Filter fields
  • Operations > Reports > Catalog > Report filter fields

Operations > Troubleshoot

  • General Tools > RADIUS Authentication Troubleshooting > Username

Policies

  • Authentication > value for the av expression within policy conditions
  • Authorization / posture / client provisioning > other conditions > value for the av expression within policy conditions

Attribute value in policy library conditions

  • Authentication > simple condition / compound condition > value for the av expression
  • Authentication > simple condition list display
  • Authentication > simple condition list > left navigation quick view display
  • Authorization > simple condition / compound condition > value for the av expression
  • Authorization > simple condition list > left navigation quick view display
  • Posture > Dictionary simple condition / Dictionary compound condition > value for the av expression
  • Guest > simple condition / compound condition > value for the av expression

UTF-8 Support Outside the User Interface

This section contains the areas outside the Cisco ISE user interface that provide UTF-8 support.

Debug Log and CLI-Related UTF-8 Support

Attribute values and posture condition details appear in some debug logs; therefore, all debug logs accept UTF-8 values. You can download debug logs containing raw UTF-8 data that can be viewed with a UTF-8 supported viewer.

ACS Migration UTF-8 Support

Cisco ISE, allows for the migration of ACS UTF-8 configuration objects and values. Migration of some UTF-8 objects may not be supported by Cisco ISE UTF-8 languages, which might render some of the UTF-8 data that is provided during migration as unreadable using Administrative portal or report methods. You must convert unreadable UTF-8 values (that are migrated from ACS) into ASCII text.

Related Topics

Cisco Identity Services Engine, Release 1.2 Migration Tool Guide.

Support for Importing and Exporting UTF-8 Values

The Admin and Sponsor portals support plain text and.csv files with UTF-8 values to be used when importing user account details. Exported files are provided as csv files.

UTF-8 Support on REST

UTF-8 values are supported on external REST communication. This applies to configurable items that have UTF-8 support in the Cisco ISE user interface, with the exception of admin authentication. Admin authentication on REST requires ASCII text credentials for login.

Related Topics

Cisco Identity Services Engine API Reference Guide, Release 1.2.

UTF-8 Support for Identity Stores Authorization Data

Cisco ISE allows Active Directory and LDAP to use UTF- 8 data in authorization policies for policy processing.

Admin Features Limited by Role-Based Access Control Policies

Cisco ISE provides role-based access control (RBAC) policies that ensure security by restricting administrative privileges. RBAC policies are associated with default admin groups to define roles and permissions. A standard set of permissions (for menu as well as data access) is paired with each of the predefined admin groups, and is thereby aligned with the associated role and job function.

Some features in the user interface require certain permissions for their use. If a feature is unavailable, or you are not allowed to perform a specific task, your admin group may not have the necessary permissions to perform the task that utilizes the feature.

Regardless of the level of access, any administrator account can modify or delete objects for which it has permission, on any page that it can access. Read-only functionality is unavailable for any administrative access.

Related Topics

Chapter 7, “Managing Administrators and Admin Access Policies”