Filter
Top Products
16-21
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 16 Managing System Administrators
Working with Administrative Access Control
Administrator Login Process
When an administrator logs in to the ACS web interface, ACS 5.4 performs the authentication as given
below.
If an administrator account is configured as a recovery account in the administrator internal identity
store, then ACS bypasses the identity and authorization policies, authenticates the administrator against
the administrator internal identity store, and assigns the role statically. If an administrator account is not
a recovery account, then ACS proceeds with policy-based authentication.
As a part of policy-based authentication, ACS fetches the AAC service with identity policy and
authorization policy configuration. ACS evaluates the identity policy and gets the identity store as a
result. If the identity policy result is the administrator internal identity store, then ACS evaluates the
password type and retrieves the identity store as the result.
ACS authenticates the administrator against the selected identity store, and retrieves the user groups and
user attributes, if the administrator account is configured in an external identity store.
If the administrator account is configured in the internal identity store, and it has a static role assignment,
then ACS extracts the list of administrator roles.
If the administrator account is configured in an external or internal identity store and has a dynamic role
assignment, ACS evaluates the authorization policy, gets a list of administrator roles, and uses it
dynamically, or gets Deny Access as the result.
Based on the selected role, ACS authenticates and manages the administrator access restrictions and
authentications. If Deny Access is the result of the evaluation, then ACS denies access to the
administrator and logs the reason for failure in the customer logs.
Table 16-12 Administrators Authorization Rule Properties Page
Option Description
General
Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;
all other fields are optional.
Status Rule statuses are as follows:
• Enabled—The rule is active.
• Disabled—ACS does not apply the results of the rule.
• Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor-only. The
monitor option is especially useful for viewing watching the results of a new rule.
Conditions
conditions These are conditions that you can configure for the rule. By default the compound condition appears. You
can change the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the condition check
box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For more
information, see Configuring Compound Conditions, page 10-41.
Results
Roles Roles to apply for the rule.