Filter
Top Products
16-19
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 16 Managing System Administrators
Working with Administrative Access Control
Administrator Authorization Policy
The authorization policy in the Administrative Access Control is used for dynamically assigning roles
to administrators upon login. The role of the administrator is set according to the rules that are defined
in the policy. According to the rules that are defined in the policy, the condition can include attributes
and groups if authenticated with an external database. ACS can use the retrieved attributes in subsequent
policies.
The authorization policy-based role assignment is applicable for both internal and external administrator
accounts. This is the only method that is available to assign roles to the external administrator accounts.
In the administrator authorization policy, each rule contains one or more conditions that are used for
authentication and a result.
The supported conditions are:
• System username
• System time and date
• Administrator client IP address
• AD dictionary or LDAP dictionary (external groups and attributes)
The administrator identity policy and the password type feature enable administrators to authenticate the
requests in external identity stores like Active Directory or LDAP identity stores and to retrieve the
administrator groups and attributes. The administrator authorization policy rules can be configured
based on these retrieved groups and attributes.
You can configure the administrator authorization policy results with a set of administrator roles that are
to be assigned to the administrators.
The supported authorization policy results are:
• Administrator Role Result—One or more administrator roles
• Deny Access—Failed authorization
You can create, duplicate, edit, and delete rules within the authorization policy, and you can enable and
disable rules.
Configuring Administrator Authorization Policies
The administrator authorization policy determines the role for ACS administrators.
See Configuring General Access Service Properties, page 10-13 for a description of the AAC Access
Service properties page.
Use this page to do the following:
• View rules.
• Delete rules.
• Open pages that enable you to create, duplicate, edit, and customize rules.
Select System Administration > Administrative Access Control > Authorization > Standard Policy.
The Administrator Authorization Policy page appears as described in Table 16-11.