8-19
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and I dentity Stores
Managing Internal Identity Stores
Related Topics
Host Lookup, page 4-13
Creating Hosts in Identity Stores, page8-16
Deleting Internal Hosts, page8-18
Policies and Identity Attributes, page3-17
Configuring an Identity Group for Host Lookup Network Access Requests, page4-18
Management Hierarchy
Management Hierarchy enables the administrator to give access permission to the internal users or
internal hosts according to their level of hierarchy in the organizations management hierarchy. A
hierarchical label is assigned to each device that represents the administrative location of that particular
device within the organizations management hierarchy.
For example, the hierarchical label All:US:NY:MyMgmtCenter indicates that the device is in a
MyMgmtcenter under NY city which is in U.S. The administrator can give access permission to the users
based on their assigned level of hierarchy. For instance, if a user has an assigned level as All:US:NY, then
that user is given permission when the user accesses the network through any device with a hierarchy
that starts with All:US:NY. The same examples are applicable for internal hosts.

Attributes of Management Hierarchy

To use the Management Hierarchy feature, administrator needs to create the following attributes in the
Internal Users Dictionary:
ManagementHierarchy attribute—allows the administrator to define one or more hierarchies for
each internal users or internal hosts. This attribute is of type string and the maximum character
length is 256. See Creating, Duplicating, and Editing an Internal User Identity Attribute, page18-10
and Creating, Duplicating, and Editing an Internal Host Identity Attribute, page18-13.
UserIsInManagementHierarchy or HostIsInManagementHierarchy attribute—the value of this
attribute is set to true when the hierarchy defined for the us er or host equals or contained in the
hierarchy defined for the network device and AAA clients. This attribute is of type Boolean and the
default value is false. It is not displayed in the users or hosts page in ACS web interface. You can
view this attribute only in the identity attributes dictionary list. See Creating, Duplicating, and
Editing an Internal User Identity Attribute, page18-10 and Creating, Duplicating, and Editing an
Internal Host Identity Attribute, page18-13.

Configuring AAA Devices for Management Hierarchy

The management centers and the correlated customer names should be configured within a Management
Hierarchy for each AAA client. Any Network Device Group can be used as a Managemen t Hierarchy for
a AAA client. The Network Device Group used for this is known as the Management Hierarchy
Attribute. The administrator can create a new Network Device Group which will be used as M anagement
Hierarchy. The Location hierarchy is an example of a Management Hierarchy attribute.
Example:
Location:All Locations:ManagementCenter1:Customer1