Filter
Top Products
16-15
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 16 Managing System Administrators
Working with Administrative Access Control
The AAC service processes these two policies in a sequence. You need to configure both the
Administrator identity policy and the Administrator authorization policy. The default for both the
policies are:
Identity policy—The default is Internal Identity Store.
Authorization policy—The default is Deny Access.
The AAC service supports only the PAP authentication type. Only the Super Admin is permitted to
configure administrator access control.
While upgrading the ACS application to ACS 5.4, AAC undergoes the following changes:
• Single AAC service is automatically created during upgrade.
• The identity policy in AAC service is set to Administrators Internal Identity Store.
• All existing administrators are validated with a static role assignment.
• All administrators with the Super Admin role are automatically set as the recovery account.
After upgrading the ACS application to 5.4, if the administrator accounts are not updated, the upgraded
administrator accounts are authenticated against the administrator internal identity store and get their
roles through static assignment. While restoring the backup when upgrading, ACS 5.4 takes care of
upgrading the schema files as well as the data.
Note Administrator accounts created in external identity stores cannot access CARS mode of ACS CLI. But,
they can access acs-config mode of ACS CLI.
This section contains the following topics:
• Administrator Identity Policy, page 16-15
• Administrator Authorization Policy, page 16-19
Administrator Identity Policy
The identity policy in administrative access control defines the identity source that ACS uses for
authentication and attribute retrieval. The attributes and groups can be retrieved only from the external
database. ACS can use the retrieved attributes only in subsequent authorization policies.
The AAC service supports two types of identity policies. They are:
• Single result selection
• Rule-based result selection
Super Admin can configure and modify this policy. You can configure a simple policy, which applies the
same identity source for authentication of all requests, or you can configure a rule-based identity policy.
The supported identity methods for a simple policy are:
• Deny Access—Access to the user is denied and no authentication is performed.
• Identity Store—A single identity store.
You can select any one of the following identity stores:
–
Internal Administrator ID store
–
Active Directory ID store
–
LDAP ID store