Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 291

    Page 291 35 Managing Access Policies Configuring Access Service Policies Configuring Shell/Command Authorization Policies for Device Administration When you create an access service and select a service policy structure for Device Administration, ACS automatically creates a shell/command authorization policy. You can then create and modify policy rules. The web interface supports the creation of multiple command sets for device administration. With this capability, you can maintain a smaller number of basic... 
    35   
Managing Access Policies
Configuring Access Service Policies
Configuring Shell/Command Authorization Policies for Device Administration
When you create an access service and select a service policy structure for Device Administration, ACS automatically 
creates a shell/command authorization policy. You can then create and modify policy rules. 
The web interface supports the creation of multiple command sets for device administration. With this capability, you can 
maintain a smaller number of basic...

    Page 292

    Page 292 36 Managing Access Policies Configuring Access Service Policies Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Configuring Authorization Exception Policies An authorization policy can include exception policies. In general, exceptions are temporary policies; for example, to grant provisional access to visitors or increase the level of access to specific users. Use exception policies to react efficiently to changing circumstances and events. The results from the exception rules... 
    36
Managing Access Policies
 
Configuring Access Service Policies
Editing Policy Rules, page 39
Deleting Policy Rules, page 39
Configuring Authorization Exception Policies 
An authorization policy can include exception policies. In general, exceptions are temporary policies; for example, to 
grant provisional access to visitors or increase the level of access to specific users. Use exception policies to react 
efficiently to changing circumstances and events. 
The results from the exception rules...

    Page 293

    Page 293 37 Managing Access Policies Configuring Access Service Policies To configure rules, see: Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Related Topics Configuring a Session Authorization Policy for Network Access, page 30 Configuring Shell/Command Authorization Policies for Device Administration, page 35 Creating Policy Rules When you create rules, remember that the order of the rules is important. When ACS encounters a... 
    37   
Managing Access Policies
Configuring Access Service Policies
To configure rules, see:
Creating Policy Rules, page 37
Duplicating a Rule, page 38
Editing Policy Rules, page 39
Deleting Policy Rules, page 39
Related Topics
Configuring a Session Authorization Policy for Network Access, page 30
Configuring Shell/Command Authorization Policies for Device Administration, page 35
Creating Policy Rules
When you create rules, remember that the order of the rules is important. When ACS encounters a...

    Page 294

    Page 294 38 Managing Access Policies Configuring Access Service Policies The Rule page appears. 3.Define the rule. 4.Click OK The Policy page appears with the new rule. 5.Click Save Changes to save the new rule. To configure a simple policy to use the same result for all requests that an access service processes, see: Viewing Identity Policies, page 23 Configuring a Group Mapping Policy, page 27 Configuring a Session Authorization Policy for Network Access, page 30 Configuring a Session Authorization... 
    38
Managing Access Policies
 
Configuring Access Service Policies
The Rule page appears.
3.Define the rule. 
4.Click OK
The Policy page appears with the new rule. 
5.Click Save Changes to save the new rule.
To configure a simple policy to use the same result for all requests that an access service processes, see: 
Viewing Identity Policies, page 23
Configuring a Group Mapping Policy, page 27
Configuring a Session Authorization Policy for Network Access, page 30
Configuring a Session Authorization...

    Page 295

    Page 295 39 Managing Access Policies Configuring Access Service Policies 7.Click Discard Changes to cancel the duplicate rule. Related Topics Creating Policy Rules, page 37 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Editing Policy Rules You can edit all values of policy rules; you can also edit the result in the Default rule. To edit a rule: 1.Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access service, and policy is the type of... 
    39   
Managing Access Policies
Configuring Access Service Policies
7.Click Discard Changes to cancel the duplicate rule. 
Related Topics
Creating Policy Rules, page 37
Editing Policy Rules, page 39
Deleting Policy Rules, page 39
Editing Policy Rules
You can edit all values of policy rules; you can also edit the result in the Default rule.
To edit a rule:
1.Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access 
service, and policy is the type of...

    Page 296

    Page 296 40 Managing Access Policies Configuring Compound Conditions The Policy page appears without the deleted rule(s). 4.Click Save Changes to save the new configuration. 5.Click Discard Changes to retain the deleted information. Related Topics Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Configuring Compound Conditions Use compound conditions to define a set of conditions based on any attributes allowed in simple policy conditions. You define compound... 
    40
Managing Access Policies
 
Configuring Compound Conditions
The Policy page appears without the deleted rule(s).
4.Click Save Changes to save the new configuration.
5.Click Discard Changes to retain the deleted information.
Related Topics
Creating Policy Rules, page 37
Duplicating a Rule, page 38
Editing Policy Rules, page 39
Configuring Compound Conditions
Use compound conditions to define a set of conditions based on any attributes allowed in simple policy conditions. You 
define compound...

    Page 297

    Page 297 41 Managing Access Policies Configuring Compound Conditions Precedence Control—You can alter the precedence of logical operators by using parentheses. Nested parentheses provide administrator control of precedence. The natural precedence of logical operators, that is, without parenthesis intervention, is NOT, AND, OR, where NOT has the highest precedence and OR the lowest. Table 100 on page 41 summarizes the supported dynamic attribute mapping while building Compound Conditions. Note: Dynamic... 
    41   
Managing Access Policies
Configuring Compound Conditions
Precedence Control—You can alter the precedence of logical operators by using parentheses. Nested parentheses 
provide administrator control of precedence. The natural precedence of logical operators, that is, without 
parenthesis intervention, is NOT, AND, OR, where NOT has the highest precedence and OR the lowest.
Table 100 on page 41 summarizes the supported dynamic attribute mapping while building Compound Conditions. 
Note: Dynamic...

    Page 298

    Page 298 42 Managing Access Policies Configuring Compound Conditions Figure 25 Compound Expression - Atomic Condition Single Nested Compound Condition Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each of the predicates. See Figure 26 on page 42 for an example. The preview window displays parentheses [()] to indicate precedence of logical operators. Figure 26 Single Nested Compound Expression Multiple Nested Compound Condition You can extend the simple... 
    42
Managing Access Policies
 
Configuring Compound Conditions
Figure 25 Compound Expression - Atomic Condition 
Single Nested Compound Condition
Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each of the 
predicates. See Figure 26 on page 42 for an example. The preview window displays parentheses [()] to indicate 
precedence of logical operators.
Figure 26 Single Nested Compound Expression
Multiple Nested Compound Condition
You can extend the simple...

    Page 299

    Page 299 43 Managing Access Policies Configuring Compound Conditions Figure 27 Multiple Nested Compound Expression Compound Expression with Dynamic value You can select dynamic value to select another dictionary attribute to compare against the dictionary attribute selected as operand. See Figure 28 on page 44 for an example. 
    43   
Managing Access Policies
Configuring Compound Conditions
Figure 27 Multiple Nested Compound Expression
Compound Expression with Dynamic value
You can select dynamic value to select another dictionary attribute to compare against the dictionary attribute selected 
as operand. See Figure 28 on page 44 for an example.

    Page 300

    Page 300 44 Managing Access Policies Configuring Compound Conditions Figure 28 Compound Expression Builder with Dynamic Value Related Topics Compound Condition Building Blocks, page 40 Using the Compound Expression Builder, page 44 Using the Compound Expression Builder You construct compound conditions by using the expression builder in Rule Properties pages. The expression builder contains two sections: a predicate builder to create primary conditions and controls for managing the expression. In the first... 
    44
Managing Access Policies
 
Configuring Compound Conditions
Figure 28 Compound Expression Builder with Dynamic Value
Related Topics
Compound Condition Building Blocks, page 40
Using the Compound Expression Builder, page 44
Using the Compound Expression Builder
You construct compound conditions by using the expression builder in Rule Properties pages. The expression builder 
contains two sections: a predicate builder to create primary conditions and controls for managing the expression.
In the first...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals