Filter
Top Products
8-20
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Managing Internal Identity Stores
Configuring Users or Hosts for Management Hierarchy
A specific level of access is defined to represent the top-most node in the Management Hierarchy
assigned for each user or a host. This level is defined in the user’s “ManagementHierarchy” attribute.
Total value length is limited to 256 characters.
The administrator can configure any level of hierarchy while defining management centers or AAA
client locations. The syntax for ManagementHierarchy attribute is:
<HierarchyName>: <HierarchyRoot>:<Value>
Examples:
1. Location:All Locations:ManagementCenter1
2. Location:All Locations:ManagementCenter1:Customer 1
The administrator can configure multiple values for management hierarchy. The syntax for multiple
value attribute is:
<HierarchyName>: <HierarchyRoot>:<Value>|<Value>|…
Example:
Location:All Locations:ManagementCenter1:Customer1|ManagementCenter1:Customer2
Configuring and Using UserIsInManagement Hierarchy Attribute
To configure and use UserIsInManagementHierarchy attribute, complete the following steps:
Step 1 Create ManagementHierarchy and UserIsInManagementHierarchy attributes for internal users. See
Configuring Internal Identity Attributes, page 18-11.
Step 2 Create the Network Device Groups for the network devices and AAA clients with the required
hierarchies. See Creating, Duplicating, and Editing Network Device Groups, page 7-2.
Step 3 Create Network Devices and AAA clients and associate them with a Network Device Group. See
Creating, Duplicating, and Editing Network Devices, page 7-10.
Step 4 Create Internal Users and configure the ManagementHierarchy attribute. See Creating Internal Users,
page 8-11.
Step 5 Choose Access Policies > Access Services > Default Network Access > Authorization.
The Authorization page appears.
Step 6 Click Customize, add the Compound Condition to the policy conditions, and click OK.
Step 7 Click Create to create a new policy and do the following:
a. Enter an appropriate name for the policy and set the status.
b. In the Conditions section, check the Compound Condition check box.
c. Select Internal users from the dictionary drop down list.
d. Select UserIsInManagementHierarchy attribute from the available attribute list.
e. Select Static value and enter True as a condition for the rule to be matched.
f. Click Add to add this compound condition to the policy.
g. Choose the policy result for the rule and click OK.
See Configuring a Session Authorization Policy for Network Access, page 10-30 for more information
on creating a authorization policy for network access.