CHAPTE R
9-1
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
9
Managing Policy Elements
A policy defines the authentication and authorization processing of clients that attempt to access the ACS
network. A client can be a user, a network device, or a user associated with a network device.
Policies are sets of rules. Rules contain policy elements, which are sets of conditions and results that are
organized in rule tables. See Chapter 3, “ACS 5.x Policy Model” for more information on policy design
and how it is implemented in ACS.
Before you configure your policy rules, you must create the policy elements, which are the conditions
and results to use in those policies. After you create the policy elements, you can use them in policy
rules. See Chapter10, “Managing Access Policies” for more information on managing services, policies,
and policy rules.
These topics contain.
Managing Policy Conditions, page 9-1
Managing Authorizations and Permissions, page 9-17
Creating, Duplicating, and Editing Downloadable ACLs, page 9-32
Note When Cisco Security Group Access license is installed, you can also configure Security Groups and
Security Group Access Control Lists (SGACLs), which you can then use in Security Group Access
authorization policies. For information about configuring security groups for Secur ity Group Access, see
Creating Security Groups, page 4-24.

Managing Policy Conditions

You can configure the following items as conditions in a rule table:
Request/Protocol Attributes—ACS retrieves these attributes from the authentication request that the
user issues.
Identity Attributes—These attributes are related to the identity of the user performing a request.
These attributes can be retrieved from the user definition in the internal identity store or from user
definitions that are stored in external identity stores, such as LDAP and AD.
Identity Groups—ACS maintains a single identity group hierarchy that is used for all types of users
and hosts. Each internal user or host definition can include an association to a single identity group
within the hierarchy.