Overview of Cisco ISE

Introduction to Cisco ISE

Cisco Identity Services Engine (ISE) is an identity-based network access control and policy enforcement system. It functions as a common policy engine that enables endpoint access control and network device administration for enterprises.

You can leverage Cisco ISE to ensure compliance, enhance infrastructure security, and streamline service operations.

A Cisco ISE administrator can gather real-time contextual data for a network, including users and user groups (who?), device type (what?), access time (when?), access location (where?), access type (wired, wireless, or VPN) (how?), and network threats and vulnerabilities.

As a Cisco ISE administrator, you can use this information to make network governance decisions. You can also tie identity data to various network elements to create policies that govern network access and usage.

Cisco ISE Features

Cisco ISE software must be installed as is. You cannot install any other third-party applications at the underlying operating system level.

Cisco ISE empowers you with the following capabilities:

  • Device Administration: Cisco ISE uses the TACACS+ security protocol to control and audit the configuration of network devices. It facilitates granular control of who can access which network device and change the associated network settings. Network devices can be configured to query Cisco ISE for authentication and authorization of device administrator actions. These devices also send accounting messages to Cisco ISE to log such actions.

  • Guest and Secure Wireless: Cisco ISE enables you to provide secure network access to visitors, contractors, consultants, and customers. You can use web-based and mobile portals to on-board guests to your company’s network and internal resources. You can define access privileges for different types of guests, and assign sponsors to create and manage guest accounts.

  • Bring Your Own Device (BYOD): Cisco ISE allows your employees and guests to securely use their personal devices on your enterprise network. BYOD feature end users can use configured pathways to add their devices, and provision predefined authentications and levels of network access.

  • Asset Visibility: Cisco ISE gives you visibility and control over who and what is on your network consistently, across wireless, wired, and VPN connections. Cisco ISE uses probes and device sensors to listen to the way devices connect to the network. The Cisco ISE profile database, which is extensive, then classifies the device. This gives the visibility and context you need to grant the right level of network access.

  • Secure Access: Cisco ISE uses a wide range of authentication protocols to provide network devices and endpoints with a secure network access. These include, but are not limited to, 802.1X, RADIUS, MAB, web-based, EasyConnect, and external agent-enabled authentication methods.

  • Segmentation: Cisco ISE uses contextual data about network devices and endpoints to facilitate network segmentation. Security group tags, access control lists, network access protocols, and policy sets that define authorization, access, and authentication, are some ways in which Cisco ISE enables secure network segmentation.

  • Posture or Compliance: Cisco ISE allows you to check for compliance, also known as posture, of endpoints, before allowing them to connect to your network. You can ensure that endpoints receive the appropriate posture agents for posturing services.

  • Threat Containment: If Cisco ISE detects threat or vulnerability attributes from an endpoint, adaptive network control policies are sent to dynamically change the access levels of the endpoint. After the threat or vulnerability is evaluated and addressed, the endpoint is given back its original access policy.

  • Security Ecosystem Integrations: The pxGrid feature allows Cisco ISE to securely share context-sensitive information, policy and configuration data, and so on, with connected network devices, third-party vendors, or Cisco partner systems.

Cisco ISE Administrators

Administrators can use the admin portal to:

  • Manage deployments, help desk operations, and network devices, and node monitoring and troubleshooting.

  • Manage Cisco ISE services, policies, administrator accounts, and system configuration and operations.

  • Change administrator and user passwords.

A CLI administrator can start and stop the Cisco ISE application, apply software patches and upgrades, reload or shut down the Cisco ISE appliance, and view all the system and application logs. Because of the special privileges that are granted to a CLI administrator, we recommend that you protect the CLI administrator credentials and create web-based administrators for configuring and managing Cisco ISE deployments.

The username and password that you configure during setup is intended only for administrative access to the CLI. This role is considered to be the CLI admin user, also known as CLI administrator. By default, the username for a CLI admin user is admin, and the password is defined during setup. There is no default password. This CLI admin user is the default admin user, and this user account cannot be deleted. However, other administrators can edit it, including options to enable, disable, or change password for the corresponding account.

You can either create an administrator, or promote an existing user to an administrator role. Administrators can also be demoted to simple network user status by disabling the corresponding administrative privileges.

Administrators are users who have local privileges to configure and operate the Cisco ISE system.

Administrators are assigned to one or more admin groups.


Note

From Cisco ISE Release 2.7, use alphanumeric values while creating user accounts in Cisco ISE.

Force CLI Administrator to Use External Identity Store

Authentication with an external identity source is more secure than using the internal database.

Define a User’s Attributes in the Active Directory User Directory

Using the Windows server running Active Directory, modify the attributes for each user that you plan to configure as a CLI Administrator.

  1. From the Server Manager window, choose Server Manager > Roles > Active Directory Domain Services > Active Directory Users and Computers > [ ad.adserver ] <ad_server>.local.

  2. Enable Advanced Features under the View menu so that you can edit a user’s attributes.

  3. Navigate to the Active Directory group that contains a list of all the admin users and select a user.

  4. Double-click the corresponding user ID.

    The Properties window is displayed.

  5. Click the Attribute Editor.

  6. Click any attribute and start entering gid to locate the gidNumber. If you don't find the gidNumber attribute, click the Filter button and uncheck the Show only attributes that have values check box.

  7. Double-click an attribute name to edit each attribute. For each user:

    • Assign a uidNumber greater than 60000, and make sure that the number is unique. Do not change the uidNumber after assignment.

    • Assign gidNumber as 110 or 111. While 110 denotes an admin user, whereas 111 denotes a read-only user. If you modify the gidNumber, wait for at least five minutes before making an SSH connection.

Join the Admin CLI User to the Active Directory Domain

Connect to the Cisco ISE CLI, run the identity-store command, and assign the Admin user to the ID store. For example, to map the CLI admin user to the Active Directory defined in ISE as adpool1, run the identity-store active-directory domain-name adpool1 user admincliuser command.

After the join is complete, connect to the Cisco ISE CLI and log in as the Admin CLI user to verify your configuration.

If the domain you use in this command was previously joined to the ISE node, you must rejoin the domain in the Administrators console.

  1. In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources.

  2. In the left-hand pane, click Active Directory and select your Active Directory name.


    Note

    If you test the connection, with the test user using either MS-RPC or Kerberos, the status for your Active Directory connection might show Operational, but error messages are displayed.

  3. Verify that you can still log in to the Cisco ISE CLI as the Admin CLI user.

Create a New Administrator

Cisco ISE administrators need accounts with specific roles assigned to them in order to perform specific administrative tasks. You can create multiple administrator accounts and assign one or more roles to these admins based on the administrative tasks that these admins have to perform.

Use the Admin Users window to view, create, modify, delete, change the status, duplicate, or search for attributes of Cisco ISE administrators.


Note
We recommend that you configure Active Directory access in the CLI before you join it in the GUI if the admin user's domain is the same in both the CLI and the GUI. Else, you must rejoin the domain from the GUI to avoid authentication failures to that domain.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Administrators > Admin Users > Add.

Step 2

From the Add drop-down list, choose one of the following options:

  • Create an Admin User

    If you choose Create an Admin User, a New Administrator window appears, from where you can configure account information for the new admin user.

  • Select from Network Access Users

    If you choose Select from Network Access Users, a list of current users appears, from which you can choose a user. Subsequently, the Admin User window corresponding to this user appears.

Step 3

Enter values in the fields. The characters supported for the Name field are # $ ’ ( ) * + - . / @ _.

The admin user name must be unique. If you have entered an existing user name, an error pop-up window displays the following message: 

User can't be created. A User with that name already exists.

Step 4

Click Submit to create a new administrator in the Cisco ISE internal database.

Cisco ISE Administrator Groups

Administrator groups are role-based access control (RBAC) groups in Cisco ISE. All the administrators who belong to the same group share a common identity and have the same privileges. An administrator’s identity as a member of a specific administrative group can be used as a condition in authorization policies. An administrator can belong to more than one administrator group.

Cisco ISE supports multiple external identity stores for enhanced user access management by admins.

An administrator account with any level of access can be used to modify or delete the objects for which it has permission, on any window it has access to.

The Cisco ISE security model limits administrators to create administrative groups that contain the same set of privileges that the administrator has. The privileges given are based on the administrative role of the user, as defined in the Cisco ISE database. Thus, administrative groups form the basis for defining privileges to access the Cisco ISE systems.

The following table lists the admin groups that are predefined in Cisco ISE, and the tasks that members from these groups can perform.

Table 1. Cisco ISE Admin Groups, Access Levels, Permissions, and Restrictions

Admin Group Role

Access Level

Permissions

Restrictions

Customization Admin

Manage sponsor, guest, and personal device portals.

  • Configure guest and sponsor access.

  • Manage guest access settings.

  • Customize end-user web portals.

  • Cannot perform any policy management, identity management, or system-level configuration tasks in Cisco ISE.

  • Cannot view any reports.

Helpdesk Admin

Query monitoring and troubleshooting operations

  • Run all reports.

  • Run all troubleshooting flows.

  • View the Cisco ISE dashboard and live logs.

  • View alarms.

Cannot create, update, or delete reports, troubleshooting flows, live authentications, or alarms.

Identity Admin

  • Manage user accounts and endpoints.

  • Manage identity sources.

  • Add, edit, and delete user accounts and endpoints.

  • Add, edit, and delete identity sources.

  • Add, edit, and delete identity source sequences.

  • Configure general settings for user accounts (attributes and password policy).

  • View the Cisco ISE dashboard, live logs, alarms, and reports.

  • Run all troubleshooting flows.

Cannot perform any policy management or system-level configuration tasks in Cisco ISE.

MnT Admin

Perform all the monitoring and troubleshooting operations.

  • Manage all the reports (run, create, and delete).

  • Run all the troubleshooting flows.

  • View the Cisco ISE dashboard and live logs.

  • Manage alarms (create, update, view, and delete).

Cannot perform any policy management, identity management, or system-level configuration tasks in Cisco ISE.

Network Device Admin

Manage Cisco ISE network devices and network device repository.

  • Read and write permissions on network devices

  • Read and write permissions on Network Device Groups and all network resource object types.

  • View the Cisco ISE dashboard, live logs, alarms, and reports.

  • Run all the troubleshooting flows.

Cannot perform any policy management, identity management, or system-level configuration tasks in Cisco ISE.

Policy Admin

Create and manage policies for all the Cisco ISE services across the network, which are related to authentication, authorization, posture, profiler, client provisioning, and work centers.

  • Read and write permissions on all the elements that are used in policies, such as authorization profiles, Network Device Groups (NDGs), and conditions.

  • Read and write permissions on identities, endpoints, and identity groups (user identity groups and endpoint identity groups).

  • Read and write permissions on services policies and settings.

  • View the Cisco ISE dashboard, live logs, alarms, and reports.

  • Run all the troubleshooting flows.

  • Device Administration: Access to device administration work centers. Permission for TACACS policy conditions and results. Network device permissions for TACACS proxy and proxy sequences.

Cannot perform any identity management or system-level configuration tasks in Cisco ISE.

Device Administration: Access to the work center does not guarantee access to the subordinate links.

RBAC Admin

All the tasks under the Operations menu, except for Adaptive Network Control, and partial access to some menu items under Administration.

  • View the authentication details.

  • Enable or disable Adaptive Network Control

  • Create, edit, and delete alarms; generate and view reports; and use Cisco ISE to troubleshoot problems in your network.

  • Read permissions on administrator account settings and admin group settings

  • View permissions on admin access and data access permissions in the RBAC Policy window.

  • View the Cisco ISE dashboard, live logs, alarms, and reports.

  • Run all the troubleshooting flows.

Cannot perform any identity management or system-level configuration tasks in Cisco ISE.

Read-Only Admin

Read-only access to the ISE GUI.

  • View and use the functions of the dashboard, reports, and live logs or sessions, such as filtering data, querying, saving options, printing, and exporting data.

  • Change passwords of their own accounts.

  • Query ISE using global search, reports, and live logs or sessions.

  • Filter and save data based on the attributes.

  • Export data pertaining to authentication policies, profile policies, users, endpoints, network devices, network device groups, identities (including groups), and other configurations.

  • Customize report queries, save, print, and export them.

  • Generate custom report queries, save, print, or export the results.

  • Save GUI settings for future reference.

  • Download logs, such as ise-psc-log from the Operations > Troubleshoot > Download Logs window.

  • Perform any configuration changes such as create, update, delete, import, quarantine, and Mobile Device Management (MDM) actions of objects, such as authorization policies, authentication policies, posture policies, profiler policies, endpoints, and users.

  • Perform system operations, such as backup and restore, registration or deregistration of nodes, synchronization of nodes, creating, editing, and deleting node groups, or upgrade and installation of patches.

  • Import data pertaining to policies, network devices, network device groups, identities (including groups), and other configurations.

  • Perform operations, such as CoA, endpoint debugging, modifying collection filters, bypassing suppression on live sessions data, modifying the PAN-HA failover settings, and editing the personas or services of Cisco ISE nodes.

  • Run commands that might have a heavy impact on performance. For example, access to the TCP Dump in the Operations > Troubleshoot > Diagnostic Tools > General Tools window is restricted.

  • Generate support bundles.

Super Admin

All Cisco ISE administrative functions. The default administrator account belongs to this group.

Create, read, update, delete, and eXecute (CRUDX) permissions on all Cisco ISE resources.

A super admin can modify the credentials of any Cisco ISE local user at any time.

Note

 

The super admin user cannot modify the default system-generated RBAC policies and permissions. To do this, you must create new RBAC policies with the necessary permissions based on your needs, and map these policies to an admin group.

Device Administration: Access to device administration work centers. Permission for TACACS policy conditions and results. Network device permissions for TACACS proxy and proxy sequences. In addition, permission to enable TACACS global protocol settings.

  • Device Administration: Access to the work center does not guarantee access to the subordinate links.

  • Only an admin user from the default Super Admin Group can modify or delete other admin users. Even an externally mapped user who is part of an Admin Group cloned with the Menu and Data Access privileges of the Super Admin Group cannot modify or delete an admin user.

System Admin

All Cisco ISE configuration and maintenance tasks.

Full access (read and write permissions) to perform all the activities under the Operations tab and partial access to some menu items under the Administration tab:

  • Read permissions on administrator account settings and administrator group settings.

  • Read permissions on admin access and data access permissions along with the RBAC policy window.

  • Read and write permissions for all options under Administration > System.

  • View authentication details.

  • Enable or disable Adaptive Network Control

  • Create, edit, and delete alarms; generate and view reports; and use Cisco ISE to troubleshoot problems in your network.

  • Device Administration: Permission to enable TACACS global protocol settings.

Cannot perform any policy management or system-level configuration tasks in Cisco ISE.

Elevated System Admin (available in Cisco ISE Release 2.6, Patch 2 and later)

All Cisco ISE configuration and maintenance tasks.

In addition to all the privileges of the System Admin, an Elevated System Admin can create Admin users.

  • Cannot create or delete Super Admin users.

  • Cannot manage the Super Admin groups.

External RESTful Services (ERS) Admin

Full access to all the ERS API requests such as GET, POST, DELETE, PUT

  • Create, read, update, and delete ERS API requests.

The role is meant only for ERS authorization supporting internal users, identity groups, endpoints, endpoint groups, and SGT .

External RESTful Services (ERS) Operator

Read-only access to ERS API, only GET

  • Can only read ERS API requests

The role is meant only for ERS authorization supporting internal users, identity groups, endpoints, endpoint groups, and SGT.

TACACS+ Admin

Full access

Access to:

  • Device Administration Work Center.

  • Deployment: To enable TACACS+ services.

  • External ID stores.

  • Operations > TACACS Live Logs window.

Create an Admin Group

The Admin Groups window allows you to view, create, modify, delete, duplicate, or filter Cisco ISE network admin groups.

Before you begin

To configure an external administrator group type, you must have already specified one or more external identity stores.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Administrators > Admin Groups

Step 2

Click Add, and enter a name and description.

The supported special characters for the Name field are: space, # $ & ‘ ( ) * + - . / @ _ .

Step 3

Check the corresponding check box to specify the Type of administrator group you are configuring:

  • Internal: Administrators assigned to this group type authenticate against the credentials that are stored in the Cisco ISE internal database.

  • External: Administrators assigned to this group authenticate against the credentials stored in the external identity store that you select in the Administration > System > Admin Access > Authentication > Authentication Method window. You can specify the external groups, if required.

Note

 

If an internal user is configured with an external identity store for authentication, while logging in to the ISE Admin portal, the internal user must select the external identity store as the Identity Source. Authentication will fail if Internal Identity Source is selected.

Step 4

Click Add in the Member Users area to add users to this admin group. To delete users from the admin group, check the check box corresponding to the user that you want to delete, and click Remove.

Step 5

Click Submit.

Administrative Access to Cisco ISE

Cisco ISE administrators can perform various administrative tasks based on the administrative group to which they belong. These administrative tasks are critical. Grant administrative access only to users who are authorized to administer Cisco ISE in your network.


Note

When a Cisco ISE server is added to a network, it is marked to be in Running state after its web interface comes up. However, it might take some more time for all the services to be fully operational because some advanced services, such as posture services, might take longer to be available.

Administrative Access Methods

You can connect to the Cisco ISE servers in several ways. The policy administration node (PAN) runs the Administrators portal. An admin password is required to log in. Other ISE persona servers are accessible through SSH or the console, from where you run the CLI. This section describes the process and password options available for each connection type:

  • Admin password: The Cisco ISE Admin user that you created during installation, times out in 45 days by default. You can prevent that by turning off Password Lifetime from Administration > System > Admin Settings. Click the Password Policy tab, and uncheck theAdministrative passwords expire check box under Password Lifetime.

    If you do not do this, and the password expires, you can reset the admin password in the CLI by running the application reset-passwd command. You can reset the admin password by connecting to the console to access the CLI, or by rebooting the ISE image file to access the boot options menu.

  • CLI password: You must enter a CLI password during installation. If you have a problem logging in to the CLI because of an invalid password, you can reset the CLI password. Connect to the console and run the password CLI command to rest the password. See the Cisco Identity Services Engine CLI Reference Guide for more information.

  • SSH access to the CLI: You can enable SSH access either during installation or after, using the service sshd command. You can also force SSH connections to use a key. Note that when you do this, SSH connections to all the network devices also use that key. For more information, see the SSH Key Validation section in Cisco ISE Admin Guide: Segmentation. You can force the SSH key to use the Diffie-Hellman algorithm. Note that ECDSA keys are not supported for SSH keys.

Role-Based Admin Access Control in Cisco ISE

Cisco ISE provides role-based access control (RBAC) policies that ensure security by restricting administrative privileges. RBAC policies are associated with default admin groups to define roles and permissions. A standard set of permissions (for menu as well as data access) is paired with each of the predefined admin groups, and is thereby aligned with the associated role and job function.

Some features in the user interface require certain permissions for their use. If a feature is unavailable, or you are not allowed to perform a specific task, your admin group may not have the necessary permissions to perform the task that utilizes the feature.

Regardless of the level of access, any administrator account can modify or delete objects for which it has permission, on any window that it can access.


Note

Only system-defined admin users with Super Admin or Read Only Admin permissions can see the identity-based users who are not a part of a user group. Admins you create without these permissions cannot see these users.

Role-Based Permissions

Cisco ISE allows you to configure permissions at the menu and data levels. These are called menu access and data access permissions.

The menu access permissions allow you to show or hide the menu and submenu items of the Cisco ISE administrative interface. This feature lets you create permissions so that you can restrict or enable access at the menu level.

The data access permissions allow you to grant read and write, read only, or no access to the Admin Groups, User Identity Groups, Endpoint Identity Groups, Locations, and Device Types data in the Cisco ISE interface.

RBAC Policies

RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group, by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated.

RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent a network administrator from viewing the Admin Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which that network administrator is associated.


Note

If you are using customized RBAC policies for admin access, ensure that you provide all the relevant menu access for a given data access. For example, to add or delete endpoints with data access of Identity or Policy Admin, you must provide menu access to Work Center > Network Access and Administration > Identity Management.

Default Menu Access Permissions

Cisco ISE provides an out-of-the-box set of permissions that are associated with a set of predefined admin groups. Having predefined admin group permissions allow you to set permissions so that a member of any admin group can have full or limited access to the menu items within the administrative interface (known as menu access) and to delegate an admin group to use the data access elements of other admin groups (known as data access). These permissions are reusable entities that can be further used to formulate RBAC policies for various admin groups. Cisco ISE provides a set of system-defined menu access permissions that are already used in the default RBAC policies. Apart from the predefined menu access permissions, Cisco ISE also allows you to create custom menu access permissions that you can use in RBAC policies. The key icon represents menu access privileges for the menus and submenus, and the key with a close icon represents no access for different RBAC groups.


Note

For a Super Admin user, all the menu items are available. For other admin users, all the menu items in the Menu Access Privileges column are available for standalone deployment, and primary node in a distributed deployment. For secondary nodes in a distributed deployment, the menu items under the Administration tab are not available.

Table 2. Default Menu Access Permissions for Different Admin Groups

Menus and Submenus

Super Admin Menu Access

Policy Admin Menu Access

Helpdesk Admin Menu Access

Identity Admin Menu Access

Network Admin Menu Access

System Admin Menu Access

RBAC Admin Menu Access

MnT Admin Menu Access

Customization Admin Menu Access

TACACS+ Admin Menu Access

Home

x

x

Home > Introduction

x

x

Home > Dashboard

x

x

Context Visibility

x

x

Context Visibility > Endpoints

x

x

Context Visibility > Users

x

x

Context Visibility > Network Devices

x

x

Context Visibility > Application

x

x

Operations

x

Operations > Adaptive Network Control

x

x

x

x

x

x

x

x

Operations > Adaptive Network Control > Policy List

x

x

x

x

x

x

x

x

Operations > Adaptive Network Control > Endpoint Assignment

x

x

x

x

x

x

x

x

Operations > Reports

x

x

Operations > RADIUS

x

x

Operations > RADIUS > Live Logs

x

x

Operations > RADIUS > Live Sessions

x

x

Operations > Threat-Centric NAC Live Logs

x

x

Operations > TACACS

x

Operations > TACACS > Live Logs

x

Operations > Troubleshoot

x

x

Operations > Troubleshoot > Download Logs

x

x

x

x

x

x

x

x

x

Operations > Troubleshoot > Diagnostic Tools

x

x

Operations > Troubleshoot > Diagnostic Tools > General Tools

x

x

Operations > Troubleshoot > Diagnostic Tools > General Tools > RADIUS Authentication Troubleshooting

x

x

Operations > Troubleshoot > Diagnostic Tools > General Tools > Execute Network Device Command

x

x

Operations > Troubleshoot > Diagnostic Tools > General Tools > Evaluate Configuration Validator

x

x

Operations > Troubleshoot > Diagnostic Tools > General Tools > Posture Troubleshooting

x

x

Operations > Troubleshoot > Diagnostic Tools > General Tools > Agentless Posture Troubleshooting

x

x

Operations > Troubleshoot > Diagnostic Tools > General Tools > EndPoint Debug

x

x

x

x

x

x

x

x

x

Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump

x

x

x

x

x

x

x

x

x

Operations > Troubleshoot > Diagnostic Tools > General Tools > Session Trace Tests

x

x

Operations > Troubleshoot > Diagnostic Tools > Security Group Access Tools

x

x

Operations > Troubleshoot > Diagnostic Tools > Security Group Access Tools > SXP-IP Mappings

x

x

Operations > Troubleshoot > Diagnostic Tools > Security Group Access Tools > IP User SGT

x

x

Operations > Troubleshoot > Diagnostic Tools > Security Group Access Tools > Egress (SGACL) Policy

x

x

Operations > Troubleshoot > Diagnostic Tools > Security Group Access Tools > Device SGT

x

x

Operations > Troubleshoot > Debug Wizard

x

x

Operations > Troubleshoot > Debug Wizard > Debug Log Configuration

x

x

Operations > Troubleshoot > Debug Wizard > Debug Profile Configuration

x

x

Policy

x

x

x

x

x

x

x

x

Policy > Policy Sets

x

x

x

x

x

x

x

x

Policy > Policy Elements

x

x

x

x

x

x

x

x

Policy > Policy Elements > Dictionaries

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Library Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Library Conditions > Simple Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Smart Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Authorization

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Authorization > Simple Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Authorization > Compound Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Time and Date

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Anti-Spyware Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Application Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Dictionary Compound Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Dictionary Simple Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Disk Encryption Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > External DataSource Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > File Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Firewall Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Hardware Attributes Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Patch Management Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Registry Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Service Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > USB Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Anti-Malware Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Anti-Virus Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Posture > Compound Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Network Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Network Conditions > Endstation Network Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Network Conditions > Device Port Network Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Network Conditions > Device Network Conditions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Conditions > Profiling

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Authentication

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Authentication > Allowed Protocols

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Authorization

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Authorization > Authorization Profiles

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Authorization > Downloadable ACLs

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Profiling

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Profiling > Exception Actions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Profiling > Network Scan (NMAP) Actions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Requirements

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Anti-Malware Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Anti-Virus Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Firewall Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Link Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Script Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > USB Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Windows Update Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Application Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Anti-Spyware Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > File Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Launch Program Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Patch Management Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Posture > Remediation Actions > Windows Server Update Services Remediation

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Client Provisioning

x

x

x

x

x

x

x

x

Policy > Policy Elements > Results > Client Provisioning > Resources

x

x

x

x

x

x

x

x

Policy > Policy Sets

x

x

x

x

x

x

x

x

Policy > Authentication

x

x

x

x

x

x

x

x

Policy > Authorization

x

x

x

x

x

x

x

x

Policy > Profiling

x

x

x

x

x

x

x

x

Policy > Posture

x

x

x

x

x

x

x

x

Policy > Client Provisioning

x

x

x

x

x

x

x

x

Administration

x

x

Administration > Identity Management

x

x

x

x

x

x

Administration > Identity Management > Identities

x

x

x

x

x

x

x

Administration > Identity Management > Identities > Users

x

x

x

x

x

x

x

Administration > Identity Management > Identities > Latest Manual Network Scan Results

x

x

x

x

x

x

x

Administration > Identity Management > Groups

x

x

x

x

x

x

x

Administration > Identity Management > External Identity Sources

x

x

x

x

x

x

Administration > Identity Management > Identity Source Sequences

x

x

x

x

x

x

x

Administration > Identity Management > Settings

x

x

x

x

x

x

x

Administration > Identity Management > Settings > User Custom Attributes

x

x

x

x

x

x

x

Administration > Identity Management > Settings > Endpoint Purge

x

x

x

x

x

x

x

Administration > Identity Management > Settings > User Authentication Settings

x

x

x

x

x

x

x

Administration > Identity Management > Settings > Endpoint Custom Attributes

x

x

x

x

x

x

x

Administration > Identity Management > Settings > REST ID Store Settings

x

x

x

x

x

x

x

Administration > Device Portal Management

x

x

x

x

x

x

x

Administration > Device Portal Management > BYOD

x

x

x

x

x

x

x

Administration > Device Portal Management > Client Provisioning

x

x

x

x

x

x

x

Administration > Device Portal Management > My Devices

x

x

x

x

x

x

x

Administration > Device Portal Management > Blocked List

x

x

x

x

x

x

x

Administration > Device Portal Management > Certificate Provisioning

x

x

x

x

x

x

x

x

x

Administration > Device Portal Management > Mobile Device Management

x

x

x

x

x

x

x

Administration > Device Portal Management > Custom Portal Files

x

x

x

x

x

x

x

x

x

Administration > Device Portal Management > Settings

x

x

x

x

x

x

x

Administration > Device Portal Management > Settings > Retry URL

x

x

x

x

x

x

x

Administration > Device Portal Management > Settings > Employee Registered Devices

x

x

x

x

x

x

x

Administration > Network Resources

x

x

x

x

x

x

x

x

Administration > Network Resources > Network Devices

x

x

x

x

x

x

x

x

Administration > Network Resources > Network Devices > Default Device

x

x

x

x

x

x

x

x

Administration > Network Resources > Network Devices > Network Devices

x

x

x

x

x

x

x

x

Administration > Network Resources > Network Devices > Device Security Settings

x

x

x

x

x

x

x

x

Administration > Network Resources > Network Device Groups

x

x

x

x

x

x

x

x

Administration > Network Resources > External RADIUS Servers

x

x

x

x

x

x

x

x

Administration > Network Resources > NAC Managers

x

x

x

x

x

x

x

x

Administration > Network Resources > Location Services

x

x

x

x

x

x

x

x

Administration > Network Resources > Location Services > Location Servers

x

x

x

x

x

x

x

x

Administration > Network Resources > Location Services > Location Tree

x

x

x

x

x

x

x

x

Administration > Network Resources > Network Device Profiles

x

x

x

x

x

x

x

x

Administration > Network Resources > RADIUS Server Sequences

x

x

x

x

x

x

x

x

Administration > Network Resources > External MDM

x

x

x

x

x

x

x

x

x

Administration > pxGrid Services

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Summary

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Client Management

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Client Management > Clients

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Client Management > Policy

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Client Management > Groups

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Client Management > Certificates

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Client Management > pxCloud Connection

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Client Management > pxCloud Policy

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Diagnostics

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Diagnostics > WebSocket

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Diagnostics > Log

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Diagnostics > Tests

x

x

x

x

x

x

x

x

Administration > pxGrid Services > Settings

x

x

x

x

x

x

x

x

Administration > System

x

x

x

x

x

Administration > System > Backup & Restore

x

x

x

x

x

x

x

x

Administration > System > Backup & Restore > Policy Export

x

x

x

x

x

x

x

x

Administration > System > Backup & Restore > Backup & Restore

x

x

x

x

x

x

x

x

Administration > System > Admin Access

x

x

x

x

x

x

x

Administration > System > Admin Access > Administrators

x

x

x

x

x

x

x

Administration > System > Admin Access > Administrators > Admin Users

x

x

x

x

x

x

x

Administration > System > Admin Access > Administrators > Admin Groups

x

x

x

x

x

x

x

Administration > System > Admin Access > Authentication

x

x

x

x

x

x

x

Administration > System > Admin Access > Authorization

x

x

x

x

x

x

x

Administration > System > Admin Access > Authorization > Permissions

x

x

x

x

x

x

x

Administration > System > Admin Access > Authorization > Permissions > Menu Access

x

x

x

x

x

x

x

Administration > System > Admin Access > Authorization > Permissions > Data Access

x

x

x

x

x

x

x

Administration > System > Admin Access > Authorization > Policy

x

x

x

x

x

x

x

Administration > System > Admin Access > Settings

x

x

x

x

x

x

x

x

Administration > System > Admin Access > Settings > Access

x

x

x

x

x

x

x

x

Administration > System > Admin Access > Settings > Session

x

x

x

x

x

x

x

x

Administration > System > Admin Access > Settings > Portal Customization

x

x

x

x

x

x

x

x

x

Administration > System > Settings

x

x

x

x

x

x

x

Administration > System > Settings > Max Sessions

x

x

x

x

x

x

x

Administration > System > Settings > Interactive User Guide

x

x

x

x

x

x

x

Administration > System > Settings > DHCP & DNS Services

x

x

x

x

x

x

x

Administration > System > Settings > Light Session Directory

x

x

x

x

x

x

x

Administration > System > Settings > Protocols

x

x

x

x

x

x

x

Administration > System > Settings > Protocols > EAP-FAST

x

x

x

x

x

x

x

Administration > System > Settings > Protocols > EAP-FAST > EAP FAST Settings

x

x

x

x

x

x

x

Administration > System > Settings > Protocols > EAP-FAST > Generate PAC

x

x

x

x

x

x

x

Administration > System > Settings > Protocols > EAP-TTLS

x

x

x

x

x

x

x

Administration > System > Settings > Protocols > EAP-TLS

x

x

x

x

x

x

x

Administration > System > Settings > Protocols > PEAP

x

x

x

x

x

x

x

Administration > System > Settings > Protocols > IPSec

x

x

x

x

x

x

x

Administration > System > Settings > Protocols > RADIUS

x

x

x

x

x

x

x

Administration > System > Settings > Network Success Diagnostics

x

x

x

x

x

x

x

Administration > System > Settings > Network Success Diagnostics > Telemetry

x

x

x

x

x

x

x

Administration > System > Settings > Network Success Diagnostics > Cisco Support Diagnostics

x

x

x

x

x

x

x

Administration > System > Settings > Client Provisioning

x

x

x

x

x

x

x

Administration > System > Settings > FIPS Mode

x

x

x

x

x

x

x

Administration > System > Settings > Security Settings

x

x

x

x

x

x

x

Administration > System > Settings > Proxy

x

x

x

x

x

x

x

Administration > System > Settings > SMTP Server

x

x

x

x

x

x

x

Administration > System > Settings > SMS Gateway

x

x

x

x

x

x

x

Administration > System > Settings > System Time(Primary Node)

x

x

x

x

x

x

x

Administration > System > Settings > Alarm Settings

x

x

x

x

x

x

x

Administration > System > Settings > Posture

x

x

x

x

x

x

x

Administration > System > Settings > Posture > Updates

x

x

x

x

x

x

x

Administration > System > Settings > Posture > General Settings

x

x

x

x

x

x

x

Administration > System > Settings > Posture > Reassessments

x

x

x

x

x

x

x

Administration > System > Settings > Posture > Acceptable Use Policy

x

x

x

x

x

x

x

Administration > System > Settings > Profiling

x

x

x

x

x

x

x

Administration > System > Settings > Endpoint Scripts

x

x

x

x

x

x

x

Administration > System > Settings > Endpoint Scripts > Login Configuration

x

x

x

x

x

x

x

Administration > System > Settings > Endpoint Scripts > Settings

x

x

x

x

x

x

x

Administration > System > Settings > API Gateway Settings

x

x

x

x

x

x

x

Administration > System > Deployment

x

x

x

x

x

x

x

Administration > System > Licensing

x

x

x

x

x

x

x

x

Administration > System > Upgrade

x

x

x

x

x

x

x

x

x

Administration > System > Health Checks

x

x

x

x

x

x

x

x

x

Administration > System > Certificates

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Management

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Management > Trusted Certificates

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Management > Certificate Signing Requests

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Management > System Certificates

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Management > OCSP Client Profile

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Management > Certificate Periodic Check Settings

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Authority

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Authority > Certificate Authority Certificates

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Authority > Overview

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Authority > Issued Certificates

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Authority > Internal CA Settings

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Authority > Certificate Templates

x

x

x

x

x

x

x

x

Administration > System > Certificates > Certificate Authority > External CA Settings

x

x

x

x

x

x

x

x

Administration > System > Logging

x

x

x

x

x

x

x

x

Administration > System > Logging > Logging Categories

x

x

x

x

x

x

x

x

Administration > System > Logging > Collection Filters

x

x

x

x

x

x

x

x

Administration > System > Logging > Log Settings

x

x

x

x

x

x

x

x

Administration > System > Logging > Remote Logging Targets

x

x

x

x

x

x

x

x

Administration > System > Logging > Message Catalog

x

x

x

x

x

x

x

x

Administration > System > Maintenance

x

x

x

x

x

x

x

x

Administration > System > Maintenance > Repository

x

x

x

x

x

x

x

x

Administration > System > Maintenance > Localdisk Management

x

x

x

x

x

x

x

x

Administration > System > Maintenance > Patch Management

x

x

x

x

x

x

x

x

Administration > System > Maintenance > Operational Data Purging

x

x

x

x

x

x

x

x

Administration > System > Session Info

x

x

x

x

x

x

x

x

x

Administration > System > System Time(Secondary Node)

x

x

x

x

x

x

x

Administration > System > Server Certificate

x

x

x

x

x

x

x

x

Administration > System > Certificate Signing Requests

x

x

x

x

x

x

x

x

Administration > Feed Service

x

x

x

x

x

x

x

Administration > Feed Service > Profiler

x

x

x

x

x

x

x

Administration > Threat Centric NAC

x

x

x

x

x

x

x

x

x

Administration > Threat Centric NAC > Third Party Vendors

x

x

x

x

x

x

x

x

x

Work Centers

Work Centers > TrustSec

x

x

Work Centers > TrustSec > Components

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Components > IP SGT Static Mapping

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Components > Network Devices

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Components > Security Groups

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Components > Security Group ACLs

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Components > Trustsec Servers

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Components > Trustsec Servers > AAA Servers

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Components > Trustsec Servers > HTTPS Servers

x

x

x

x

x

x

x

x

Work Centers > TrustSec > TrustSec Policy

x

x

x

x

x

x

x

x

Work Centers > TrustSec > TrustSec Policy > Egress Policy

x

x

x

x

x

x

x

x

Work Centers > TrustSec > TrustSec Policy > Egress Policy > Matrix

x

x

x

x

x

x

x

x

Work Centers > TrustSec > TrustSec Policy > Egress Policy > Destination Tree

x

x

x

x

x

x

x

x

Work Centers > TrustSec > TrustSec Policy > Egress Policy > Matrices List

x

x

x

x

x

x

x

x

Work Centers > TrustSec > TrustSec Policy > Egress Policy > Source Tree

x

x

x

x

x

x

x

x

Work Centers > TrustSec > TrustSec Policy > Network Device Authorization

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Authorization Policy

x

x

x

x

x

x

x

x

Work Centers > TrustSec > SXP

x

x

x

x

x

x

x

x

Work Centers > TrustSec > SXP > SXP Devices

x

x

x

x

x

x

x

x

Work Centers > TrustSec > SXP > All SXP Mappings

x

x

x

x

x

x

x

x

Work Centers > TrustSec > ACI

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Reports

x

x

Work Centers > TrustSec > Overview

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Overview > Introduction

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Overview > Dashboard

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Authentication Policy

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Troubleshoot

x

x

Work Centers > TrustSec > Troubleshoot > Egress (SGACL) Policy

x

x

Work Centers > TrustSec > Troubleshoot > IP User SGT

x

x

Work Centers > TrustSec > Troubleshoot > SXP-IP Mappings

x

x

Work Centers > TrustSec > Troubleshoot > Device SGT

x

x

Work Centers > TrustSec > Settings

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Settings > General TrustSec Settings

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Settings > Work Process Settings

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Settings > ACI Settings

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Settings > TrustSec Matrix Settings

x

x

x

x

x

x

x

x

Work Centers > TrustSec > Settings > SXP Settings

x

x

x

x

x

x

x

x

Work Centers > Profiler

x

x

Work Centers > Profiler > Ext Id Sources

x

x

x

x

x

x

x

Work Centers > Profiler > Endpoint Classification

x

x

x

x

x

x

x

x

Work Centers > Profiler > Node Config

x

x

x

x

x

x

x

Work Centers > Profiler > Manual Scans

x

x

x

x

x

x

x

x

Work Centers > Profiler > Manual Scans > Manual NMAP Scan Results

x

x

x

x

x

x

x

x

Work Centers > Profiler > Manual Scans > Manual NMAP Scan

x

x

x

x

x

x

x

x

Work Centers > Profiler > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > Profiler > Authorization Policy

x

x

x

x

x

x

x

x

Work Centers > Profiler > Reports

x

x

Work Centers > Profiler > Feeds

x

x

x

x

x

x

x

x

Work Centers > Profiler > Policy Elements

x

x

x

x

x

x

x

x

Work Centers > Profiler > Policy Elements > Profiler Conditions

x

x

x

x

x

x

x

x

Work Centers > Profiler > Policy Elements > NMAP Scan Actions

x

x

x

x

x

x

x

x

Work Centers > Profiler > Policy Elements > Exception Actions

x

x

x

x

x

x

x

x

Work Centers > Profiler > Profiling Policies

x

x

x

x

x

x

x

x

Work Centers > Profiler > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > Profiler > Troubleshoot

x

x

Work Centers > Profiler > Troubleshoot > Execute Network Device Command

x

x

Work Centers > Profiler > Troubleshoot > EndPoint Debug

x

x

x

x

x

x

x

x

x

Work Centers > Profiler > Troubleshoot > Evaluate Configuration Validator

x

x

Work Centers > Profiler > Troubleshoot > TCP Dump

x

x

x

x

x

x

x

x

x

Work Centers > Profiler > Settings

x

x

x

x

x

x

x

x

Work Centers > Profiler > Settings > Profiler Settings

x

x

x

x

x

x

x

x

Work Centers > Profiler > Settings > NMAP Scan Subnet Exclusions

x

x

x

x

x

x

x

x

Work Centers > Profiler > Dictionaries

x

x

x

x

x

x

x

x

Work Centers > Profiler > Overview

x

x

x

x

x

x

x

x

Work Centers > Profiler > Network Devices

x

x

x

x

x

x

x

Work Centers > Posture

x

Work Centers > Posture > Network Devices

x

x

x

x

x

x

x

x

Work Centers > Posture > Posture Policy

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > Posture > Authorization Policy

x

x

x

x

x

x

x

x

Work Centers > Posture > Reports

x

x

Work Centers > Posture > Settings

x

x

x

x

x

x

x

x

Work Centers > Posture > Settings > Posture General Settings

x

x

x

x

x

x

x

x

Work Centers > Posture > Settings > Acceptable Use Policy

x

x

x

x

x

x

x

x

Work Centers > Posture > Settings > Software Updates

x

x

x

x

x

x

x

x

Work Centers > Posture > Settings > Software Updates > Client Provisioning

x

x

x

x

x

x

x

x

Work Centers > Posture > Settings > Software Updates > Posture Updates

x

x

x

x

x

x

x

x

Work Centers > Posture > Settings > Software Updates > Proxy Settings

x

x

x

x

x

x

x

x

Work Centers > Posture > Settings > Reassessment configurations

x

x

x

x

x

x

x

x

Work Centers > Posture > Overview

x

x

x

x

x

x

x

x

Work Centers > Posture > Client Provisioning

x

x

x

x

x

x

x

Work Centers > Posture > Client Provisioning > Client Provisioning Policy

x

x

x

x

x

x

x

x

Work Centers > Posture > Client Provisioning > Client Provisioning Portal

x

x

x

x

x

x

x

Work Centers > Posture > Client Provisioning > Resources

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Anti-Spyware

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Application

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Compound

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Dictionary Compound

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > File

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Registry

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Anti-Malware

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Anti-Virus

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Dictionary Simple

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Disk Encryption

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > External DataSource

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Firewall Condition

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Hardware Attributes Condition

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Patch Management

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > Service

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Conditions > USB

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Requirements

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Anti-Virus

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Firewall

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Link

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Script

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Windows Server Update Services

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Anti-Malware

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Anti-Spyware

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > File

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Launch Program

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Patch Management

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > USB

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Remediations > Windows Update

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Elements > Authorization Profiles

x

x

x

x

x

x

x

x

Work Centers > Posture > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > Posture > Authentication Policy

x

x

x

x

x

x

x

x

Work Centers > Posture > Troubleshoot

x

x

Work Centers > Posture > Troubleshoot > Agentless Posture Troubleshooting

x

x

Work Centers > Device Administration

x

Work Centers > Device Administration > Overview

x

x

x

x

x

x

x

Work Centers > Device Administration > Overview > Introduction

x

x

x

x

x

x

x

Work Centers > Device Administration > Overview > TACACS Livelog

x

x

x

x

x

x

x

Work Centers > Device Administration > Overview > Deployment

x

x

x

x

x

x

x

Work Centers > Device Administration > Identities

x

x

x

x

x

x

Work Centers > Device Administration > Identities > Users

x

x

x

x

x

x

Work Centers > Device Administration > User Identity Groups

x

x

x

x

x

x

Work Centers > Device Administration > Ext Id Sources

x

x

x

x

x

x

Work Centers > Device Administration > Network Resources

x

x

x

x

x

x

Work Centers > Device Administration > Network Resources > Network Devices

x

x

x

x

x

x

x

Work Centers > Device Administration > Network Resources > Network Device Groups

x

x

x

x

x

x

Work Centers > Device Administration > Network Resources > Default Devices

x

x

x

x

x

x

x

Work Centers > Device Administration > Network Resources > TACACS External Servers

x

x

x

x

x

x

x

Work Centers > Device Administration > Network Resources > TACACS Server Sequence

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Conditions > Authentication Simple Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Conditions > Library Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Conditions > Smart Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Conditions > Authorization Simple Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Conditions > Authorization Compound Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Network Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Network Conditions > Endstation Network Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Network Conditions > Device Network Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Network Conditions > Device Port Network Conditions

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Results

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Results > Allowed Protocols

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Results > TACACS Command Sets

x

x

x

x

x

x

x

Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles

x

x

x

x

x

x

x

Work Centers > Device Administration > Device Admin Policy Sets

x

x

x

x

x

x

x

Work Centers > Device Administration > Reports

x

Work Centers > Device Administration > Settings

x

x

x

x

x

x

x

Work Centers > PassiveID

x

x

x

x

x

x

x

Work Centers > PassiveID > Overview

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Overview > Introduction

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Overview > Dashboard

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Overview > Live Sessions

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Troubleshoot

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > System Certificates

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > OCSP Client Profile

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > Certificate Periodic Check Settings

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > Issued Certificates

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > Internal CA Settings

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > Certificate Templates

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > Trusted Certificates

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > Certificate Signing Requests

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > Overview

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Certificates > Certificate Authority Certificates

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Reports

x

x

x

x

x

x

x

Work Centers > PassiveID > Providers

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Providers > Agents

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Providers > SPAN

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Providers > Mapping Filters

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Providers > Active Directory

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Providers > API Providers

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Providers > Syslog Providers

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Providers > Endpoint Probes

x

x

x

x

x

x

x

x

Work Centers > PassiveID > Subscribers

x

x

x

x

x

x

x

x

Work Centers > BYOD

x

Work Centers > BYOD > Overview

x

x

x

x

x

x

x

x

Work Centers > BYOD > Network Devices

x

x

x

x

x

x

x

Work Centers > BYOD > Client Provisioning

x

x

x

x

x

x

x

x

Work Centers > BYOD > Client Provisioning > Resources

x

x

x

x

x

x

x

x

Work Centers > BYOD > Client Provisioning > Client Provisioning Policy

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Results

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Results > Authorization Profiles

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Results > Allowed Protocols

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Results > Downloadable ACLs

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Conditions

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Conditions > Authentication Simple Conditions

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Conditions > Authorization Simple Conditions

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Conditions > Library Conditions

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Conditions > Smart Conditions

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Elements > Conditions > Authorization Compound Conditions

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > BYOD > Authentication Policy

x

x

x

x

x

x

x

x

Work Centers > BYOD > Reports

x

x

Work Centers > BYOD > Settings

x

x

x

x

x

x

x

x

Work Centers > BYOD > Settings > Employee Registered Devices

x

x

x

x

x

x

x

x

Work Centers > BYOD > Settings > Client Provisioning

x

x

x

x

x

x

x

x

Work Centers > BYOD > Settings > Retry URL

x

x

x

x

x

x

x

x

Work Centers > BYOD > Identities

x

x

x

x

x

x

x

Work Centers > BYOD > Identities > Endpoints

x

x

x

x

x

x

x

Work Centers > BYOD > Identities > Identity Source Sequences

x

x

x

x

x

x

x

Work Centers > BYOD > Identities > Network Access Users

x

x

x

x

x

x

x

Work Centers > BYOD > Identity Groups

x

x

x

x

x

x

x

Work Centers > BYOD > Ext Id Sources

x

x

x

x

x

x

x

Work Centers > BYOD > Portals & Components

x

x

x

x

x

x

x

Work Centers > BYOD > Portals & Components > BYOD Portals

x

x

x

x

x

x

x

Work Centers > BYOD > Portals & Components > Blocked List Portal

x

x

x

x

x

x

x

Work Centers > BYOD > Portals & Components > My Devices Portals

x

x

x

x

x

x

x

Work Centers > BYOD > Portals & Components > Certificates

x

x

x

x

x

x

x

x

Work Centers > BYOD > Portals & Components > Certificates > Certificate Templates

x

x

x

x

x

x

x

x

Work Centers > BYOD > Portals & Components > Certificates > Internal CA Settings

x

x

x

x

x

x

x

x

Work Centers > BYOD > Portals & Components > Certificates > External CA Templates

x

x

x

x

x

x

x

x

Work Centers > BYOD > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > BYOD > Authorization Policy

x

x

x

x

x

x

x

x

Work Centers > BYOD > Custom Portal Files

x

x

x

x

x

x

x

x

Work Centers > Network Access

x

x

Work Centers > Network Access > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > Network Access > Authentication Policy

x

x

x

x

x

x

x

x

Work Centers > Network Access > Reports

x

x

Work Centers > Network Access > Settings

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Client Provisioning

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Collection Filters

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Protocols

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Protocols > EAP TLS

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Protocols > EAP-FAST

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Protocols > EAP-FAST > EAP FAST

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Protocols > EAP-FAST > Generate PAC

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Protocols > PEAP

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Protocols > RADIUS

x

x

x

x

x

x

x

x

Work Centers > Network Access > Settings > Proxy Settings

x

x

x

x

x

x

x

x

Work Centers > Network Access > Dictionaries

x

x

x

x

x

x

x

x

Work Centers > Network Access > Overview

x

x

x

x

x

x

x

x

Work Centers > Network Access > Overview > Introduction

x

x

x

x

x

x

x

x

Work Centers > Network Access > Overview > RADIUS Livelog

x

x

x

x

x

x

x

x

Work Centers > Network Access > Identities

x

x

x

x

x

x

x

Work Centers > Network Access > Identities > Endpoints

x

x

x

x

x

x

x

Work Centers > Network Access > Identities > Network Access Users

x

x

x

x

x

x

x

Work Centers > Network Access > Identities > Identity Source Sequences

x

x

x

x

x

x

x

Work Centers > Network Access > Id Groups

x

x

x

x

x

x

x

Work Centers > Network Access > Ext Id Sources

x

x

x

x

x

x

x

Work Centers > Network Access > Network Resources

x

x

x

x

x

x

x

Work Centers > Network Access > Network Resources > Network Devices

x

x

x

x

x

x

x

Work Centers > Network Access > Network Resources > Device Groups

x

x

x

x

x

x

x

Work Centers > Network Access > Network Resources > Default Device

x

x

x

x

x

x

x

Work Centers > Network Access > Network Resources > External RADIUS Servers

x

x

x

x

x

x

x

Work Centers > Network Access > Network Resources > RADIUS Server Sequences

x

x

x

x

x

x

x

Work Centers > Network Access > Network Resources > External MDM Servers

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Conditions

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Conditions > Authentication Simple Conditions

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Conditions > Library Conditions

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Conditions > Smart Conditions

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Conditions > Authorization Simple Conditions

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Conditions > Authorization Compound Conditions

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Conditions > Time and Date Conditions

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Results

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Results > Allowed Protocols

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Results > Authorization Profiles

x

x

x

x

x

x

x

x

Work Centers > Network Access > Policy Elements > Results > Downloadable ACLs

x

x

x

x

x

x

x

x

Work Centers > Network Access > Authorization Policy

x

x

x

x

x

x

x

x

Work Centers > Network Access > Troubleshoot

x

x

Work Centers > Network Access > Troubleshoot > EndPoint Debug

x

x

x

x

x

x

x

x

x

Work Centers > Network Access > Troubleshoot > TCP Dump

x

x

x

x

x

x

x

x

x

Work Centers > Network Access > Troubleshoot > Collection Filters

x

x

Work Centers > Network Access > Troubleshoot > RADIUS Authentication Troubleshooting

x

x

Work Centers > Guest Access

x

Work Centers > Guest Access > Overview

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Administration

x

x

x

x

x

x

x

Work Centers > Guest Access > Administration > SMS Gateway Providers

x

x

x

x

x

x

x

Work Centers > Guest Access > Administration > Certificates

x

x

x

x

x

x

x

Work Centers > Guest Access > Administration > Certificates > System Certificates

x

x

x

x

x

x

x

Work Centers > Guest Access > Administration > Certificates > Certificate Periodic Check Settings

x

x

x

x

x

x

x

Work Centers > Guest Access > Administration > Certificates > Certificate Signing Requests

x

x

x

x

x

x

x

Work Centers > Guest Access > Administration > SMTP Server

x

x

x

x

x

x

x

Work Centers > Guest Access > Portals & Components

x

x

x

x

x

x

x

Work Centers > Guest Access > Portals & Components > Guest Types

x

x

x

x

x

x

x

Work Centers > Guest Access > Portals & Components > Sponsor Portals

x

x

x

x

x

x

x

Work Centers > Guest Access > Portals & Components > Guest Portals

x

x

x

x

x

x

x

Work Centers > Guest Access > Portals & Components > Sponsor Groups

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Authorization Policy

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Custom Portal Files

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Identities

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Identities > Endpoints

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Identities > Network Access Users

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Identities > Identity Source Sequences

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Identity Groups

x

x

x

x

x

x

x

Work Centers > Guest Access > Ext Id Sources

x

x

x

x

x

x

x

Work Centers > Guest Access > Network Devices

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Manage Accounts

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Elements

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Elements > Conditions

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Elements > Conditions > Authorization Simple Conditions

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Elements > Conditions > Common Time and Date Conditions

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Elements > Conditions > Authorization Compound Conditions

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Elements > Results

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Elements > Results > Allowed Protocols

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Elements > Results > Downloadable ACLs

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Elements > Results > Authorization Profiles

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Policy Sets

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Authentication Policy

x

x

x

x

x

x

x

x

Work Centers > Guest Access > Reports

x

x

Work Centers > Guest Access > Settings

x

x

x

x

x

x

x

Work Centers > Guest Access > Settings > Guest Password Policy

x

x

x

x

x

x

x

Work Centers > Guest Access > Settings > Guest Account Purge Policy

x

x

x

x

x

x

x

Work Centers > Guest Access > Settings > Guest Email Settings

x

x

x

x

x

x

x

Work Centers > Guest Access > Settings > Guest Username Policy

x

x

x

x

x

x

x

Work Centers > Guest Access > Settings > Logging

x

x

x

x

x

x

x

Work Centers > Guest Access > Settings > Custom Fields

x

x

x

x

x

x

x

Work Centers > Guest Access > Settings > Guest Locations and SSIDs

x

x

x

x

x

x

x

Work Centers > GPC

x

x

x

x

x

x

x

Wizard

x

x

x

x

x

x

x

x

x

Settings

x

x

x

x

x

x

x

x

x

Configure Menu Access Permissions

Cisco ISE allows you to create custom menu access permissions that you can map to an RBAC policy. Depending on the role of the administrators, you can allow them to access only specific menu options.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Authorization > Permissions > Menu Access

Step 2

Click Add, and enter values for the Name and Description fields.

  1. Expand the ISE Navigation Structure menu to the required level, and click the options for which you want to create permissions.

  2. In the Permissions for Menu Access pane, click Show.

Step 3

Click Submit.

Prerequisites for Granting Data Access Permissions

When an RBAC admin has Full Access permission to an object (for example, Employee in the User Identity Groups data type), the admin can view, add, update, and delete users who belong to that group. Ensure that the admin has menu access permission granted for the Users window (Administration > Identity Management > Identities > Users). This is applicable for network devices and endpoint objects (based on the permissions granted to the Network Device Groups and Endpoint Identity Groups data types).

You cannot enable or restrict data access for network devices that belong to the default network device group objects—All Device Types and All Locations. All the network devices are displayed if Full Access data permission is granted to an object created under these default network device group objects. Therefore, we recommend that you create a separate hierarchy for the Network Device Groups data type, which is independent of the default network device group objects. You should assign the network device objects to the newly created network devices groups to create restricted access.


Note

You can enable or restrict data access permissions only for the User Identity Groups, Network Device Groups, and Endpoint Identity Groups, but not to Admin Groups.

Default Data Access Permissions

Cisco ISE comes with a set of predefined data access permissions. These permissions enable multiple administrators to have the data access permissions within the same user population. You can enable or restrict the use of data access permissions to one or more admin groups. This process allows autonomous delegated control to administrators of one admin group to reuse data access permissions of the chosen admin groups through selective association. Data access permissions range from full access to no access for viewing selected admin groups or network device groups. RBAC policies are defined based on the administrator (RBAC) group, menu access, and data access permissions. You should first create menu access and data access permissions and then create an RBAC policy that associates an admin group with the corresponding menu access and data access permissions. The RBAC policy takes the form: If admin_group=Super Admin then assign SuperAdmin Menu Access permission + SuperAdmin Data Access permission. Apart from the predefined data access permissions, Cisco ISE also allows you to create custom data access permissions that you can associate with an RBAC policy.

There are three data access permissions, namely, Full Access, No Access, and Read Only access that can be granted to admin groups.

The Read Only permission can be granted to the following admin groups:

  • Administration > Admin Access > Administrators > Admin Groups

  • Administration > Groups > User Identity Group

  • Administration > Groups > Endpoint Identity Groups

  • Network Visibility > Endpoints

  • Administration > Network Resources > Network Device Groups

  • Administration > Network Resources > Network Devices

  • Administration > Identity Management > Identities

  • Administration > Identity Management > Groups > User Identity Groups

  • Administration > Identity Management > Groups > Endpoint Identity Groups

If you have read-only permission for a data type (for example, Endpoint Identity Groups), you will not be able to perform CRUD operations on that data type. If you have read-only permission for an object (for example, GuestEndpoints), you cannot perform edit or delete operations on that object.

The following image shows how data access privileges are applied at the second-level or third-level menu that contains additional submenus or options for different RBAC groups.

Figure 1. Data Access Privileges

This image describes how Data Access privileges are applied at the second-level or third-level menu that contains additional submenus or options for different RBAC groups

Label

Description

1

Denotes full access for the User Identity Groups data type.

2

Denotes that Endpoint Identity Groups derive the maximum permission (full access) that is granted to its child (Asia, in the example shown in the figure).

3

Denotes that there is no access for the object (blocked list).

4

Denotes that the parent (Continents) derives the maximum access permission granted to its child (Asia).

5

Denotes read-only access for the object (Australia).

6

Denotes that when full access is granted to the parent (Network Device Groups), it results in the children automatically inheriting permissions.

7

Denotes that when full access is granted to the parent (Asia), it results in the objects inheriting the Full Access permission, unless permissions are explicitly granted to the objects.

The following table shows the default data access permissions for different admin groups.

√: Denotes that a user has full access

x: Denotes that a user has no access

!: Denotes that a user has read-only access

Table 3. Data Access Permissions

Menus and Submenus

Super Admin Data Access

Policy Admin Data Access

Identity Admin Data Access

Network Admin Data Access

System Admin Data Access

RBAC Admin Data Access

Customization Admin Data Access

TACACS+ Admin Data Access

Read Only Admin Data Access

Admin Groups

x

x

x

x

x

!

Admin Groups > Super Admin

x

x

x

x

x

!

Admin Groups > Policy Admin

x

x

x

x

x

!

Admin Groups > Helpdesk Admin

x

x

x

x

x

!

Admin Groups > Identity Admin

x

x

x

x

x

!

Admin Groups > Network Device Admin

x

x

x

x

x

!

Admin Groups > System Admin

x

x

x

x

x

!

Admin Groups > RBAC Admin

x

x

x

x

x

!

Admin Groups > MnT Admin

x

x

x

x

x

!

Admin Groups > ERS Admin

x

x

x

x

x

!

Admin Groups > ERS Operator

x

x

x

x

x

!

Admin Groups > Customization Admin

x

x

x

x

x

!

Admin Groups > TACACS+ Admin

x

x

x

x

x

!

Admin Groups > Read Only Admin

x

x

x

x

x

!

Admin Groups > Elevated System Admin

x

x

x

x

x

!

Admin Groups > SPOG Admin

x

x

x

x

x

!

Admin Groups > ERS Trustsec

x

x

x

x

x

!

User Identity Groups

x

x

x

!

User Identity Groups > GuestType_Weekly (default)

x

x

x

!

User Identity Groups > OWN_ACCOUNTS (default)

x

x

x

!

User Identity Groups > GROUP_ACCOUNTS (default)

x

x

x

!

User Identity Groups > GuestType_SocialLogin (default)

x

x

x

!

User Identity Groups > Employee

x

x

x

!

User Identity Groups > GuestType_Daily (default)

x

x

x

!

User Identity Groups > GuestType_Contractor (default)

x

x

x

!

User Identity Groups > ALL_ACCOUNTS (default)

x

x

x

!

Endpoint Identity Groups

x

x

x

x

!

Endpoint Identity Groups > Blocked List

x

x

x

x

!

Endpoint Identity Groups > GuestEndpoints

x

x

x

x

!

Endpoint Identity Groups > RegisteredDevices

x

x

x

x

!

Endpoint Identity Groups > Unknown

x

x

x

x

!

Endpoint Identity Groups > Profiled

x

x

x

x

!

Endpoint Identity Groups > Profiled > Sony-Device

x

x

x

x

!

Endpoint Identity Groups > Profiled > Cisco-Meraki-Device

x

x

x

x

!

Endpoint Identity Groups > Profiled > Windows11-Workstation

x

x

x

x

!

Endpoint Identity Groups > Profiled > Apple-iDevice

x

x

x

x

!

Endpoint Identity Groups > Profiled > BlackBerry

x

x

x

x

!

Endpoint Identity Groups > Profiled > Android

x

x

x

x

!

Endpoint Identity Groups > Profiled > Axis-Device

x

x

x

x

!

Endpoint Identity Groups > Profiled > Juniper-Device

x

x

x

x

!

Endpoint Identity Groups > Profiled > Epson-Device

x

x

x

x

!

Endpoint Identity Groups > Profiled > Synology-Device

x

x

x

x

!

Endpoint Identity Groups > Profiled > Vizio-Device

x

x

x

x

!

Endpoint Identity Groups > Profiled > Trendnet-Device

x

x

x

x

!

Endpoint Identity Groups > Profiled > Cisco-IP-Phone

x

x

x

x

!

Endpoint Identity Groups > Profiled > OS_X_BigSur-Workstation

x

x

x

x

!

Endpoint Identity Groups > Profiled > Workstation

x

x

x

x

!

Network Device Groups

x

x

x

x

x

!

Network Device Groups > All Locations

x

x

x

x

x

!

Network Device Groups > All Locations > Asia

x

x

x

x

x

!

Network Device Groups > All Locations > Asia > India

x

x

x

x

x

!

Network Device Groups > Is IPSEC Device

x

x

x

x

x

!

Network Device Groups > Is IPSEC Device > Yes

x

x

x

x

x

!

Network Device Groups > Is IPSEC Device > No

x

x

x

x

x

!

Network Device Groups > All Device Types

x

x

x

x

x

!

Customization

NA

NA

NA

NA

NA

NA

NA

NA

Configure Data Access Permissions

Cisco ISE allows you to create custom data access permissions that you can map to an RBAC policy. Based on the role of the administrator, you can choose to provide access to only select data.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Authorization > Permissions

Step 2

Choose Permissions > Data Access.

Step 3

Click Add, and enter values for the Name and Description fields.

  1. Click to expand the admin group and select the corresponding admin group.

  2. Click Full Access, Read Only Access, or No Access.

Step 4

Click Save.

Read-Only Admin Policy

The default Read-Only Admin policy is available in the Administration > System > Admin Access > Authorization > RBAC Policy window. This policy is available for both new installations and upgraded deployments. The Read-Only Admin policy is applicable to the Read-Only Admin group. By default, Super Admin Menu Access and Read-Only Data Access permissions are granted to Read-Only administrators. This policy cannot be duplicated and the associated Data Access permission cannot be edited.


Note

  • The default read-only policy is mapped to the Read Only Admin group. You cannot create custom RBAC policy using the Read Only Admin group.

  • Cisco ISE supports the read-only functionality based on the static check of Read-Only Admin Group only.

Customize Menu Access for the Read-Only Administrator

By default, Read-Only Administrators are given Super Admin Menu Access and Read Only Admin Data Access. However, if the Super Admin requires that the Read-Only Administrator view only the Home and Administration tabs, the Super Admin can create a custom menu access or customize the default Permissions to, for example, MnT Admin Menu Access or Policy Admin Menu Access. The Super Admin cannot modify the Read Only Data Access mapped to the Read Only Admin Policy.

Procedure

Step 1

Log in to the Admin portal as a Super Admin.

Step 2

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Authorization > Permissions > Menu Access

Step 3

Click Add and enter a Name (for example, MyMenu) and Description.

Step 4

In the Menu Access Privileges section, you can enable the Show or Hide option to choose the required options (for example, Home and Administration tabs) that should be displayed for the Read-Only Administrator.

Step 5

Click Submit.

The custom menu access permission is displayed in the Permissions drop-down list corresponding to the Read-Only Admin Policy displayed in the Administration > System > Admin Access > Authorization > Policy window.

Step 6

Choose Administration > System > Admin Access > Authorization > RBAC Policy window.

Step 7

Click the Permissions drop-down list corresponding to the Read-Only Admin Policy and choose a default (MnT Admin Menu Access) or custom menu access permission (MyMenu) that you have created in the Administration > System > Admin Access > Authorization > Permissions > Menu Access window.

Step 8

Click Save.

Note

 

  • You will encounter an error if you choose Data Access permissions for the Read-Only Admin policy.

  • When you log in to the Read-Only Admin portal, a Read-Only icon appears at the top of the window, and you can view only the specified menu options without data access.