10-3
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter10 Managing Access Poli cies
Policy Creation Flow
Policy Elements in the Policy Creation Flow
The web interface provides these defaults for defining device groups and identity groups:
All Locations
All Device Types
All Groups
The locations, device types, and identity groups that you create are children of these defaults.
To create the building blocks for a basic device administration policy:
Step1 Create network resources. In the Network Resources drawer, create:
a. Device groups for Locations, such as All Locations > East, West, HQ.
b. Device groups for device types, such as All Device Types > Router, Switch.
c. AAA clients (clients for AAA switches and routers, address for each, and protocol for each), such
as EAST-ACCESS-SWITCH, HQ-CORE-SWITCH, or WEST-WAN-ROUTER.
Step2 Create users and identity stores. In the Users and Identity Stores drawer, create:
a. Identity groups (Network Operations and Supervisor).
b. Specific users and association to identity groups (Names, Identity Group, Password, and more).
Step3 Create authorizations and permissions for device administration. In the Policy Elem ents drawer, create:
a. Specific privileges (in Shell Profiles), such as full access or read only.
b. Command Sets that allow or deny access (in Command Sets).
For this policy, you now have the following building blocks:
Network Device Groups (NDGs), such as:
Locations—East, HQ, West.
Device Types—Router, Switch.
Identity groups, such as:
Network Operations Sites—East, HQ, West.
Access levels—Full Access.
Devices—Routers and switches that have been assigned to network device groups.
Users—Network engineers in the internal identity store that have been assigned to identity groups.
Shell Profiles—Privileges that can apply to each administrator, such as:
Full privileges.
Read only privileges.
Command Sets—Allow or deny authorization to each administrator.
Policy Creation Flow—Previous Step
Network Definition and Policy Goals, page 10-2