10-4
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter10 Managing Access Policies
Customizing a Policy
Policy Creation Flow—Next Steps
Access Service Policy Creation, page10-4
Service Selection Policy Creation, page10-4

Access Service Policy Creation

After you create the basic elements, you can create an access policy that includes identity groups and
privileges. For example, you can create an access service for device administration, called NetOps,
which contains authorization and authentication policies that use this data:
Users in the Supervisor identity group—Full privileges to all devices at all locations.
User in the East, HQ, West identity groups—Full privileges to devices in the corresponding East,
HQ, West device groups.
If no match—Deny access.
Policy Creation Flow—Previous Steps
Network Definition and Policy Goals, page 10-2
Policy Elements in the Policy Creation Flow, page10-3
Policy Creation Flow—Next Step
Service Selection Policy Creation, page10-4

Service Selection Policy Creation

ACS provides support for various access use cases; for example, device administration, wireless access,
network access control, and so on. You can create access policies for each of these use cases. Your
service selection policy determines which access policy applies to an incoming request.
For example, you can create a service selection rule to apply the NetOps access service to any access
request that uses the TACAC+ protocol.
Policy Creation Flow—Previous Steps
Network Definition and Policy Goals, page 10-2
Policy Elements in the Policy Creation Flow, page10-3
Access Service Policy Creation, page10-4
Customizing a Policy
ACS policy rules contain conditions and results. Before you begin to define rules for a policy, you must
configure which types of conditions that policy will contain. This step is called customizing your policy.
The condition types that you choose appear on the Policy page. You can apply only those types of
conditions that appear on the Policy page. For information about policy conditions, see Managing Policy
Conditions, page9-1.
By default, a Policy page displays a single condition column for compound expressi ons. For information
on compound conditions, see Configuring Compound Conditions, page 10-41.