10-27
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter10 Managing Access Poli cies
Configuring Access Service Policies
Configuring a Group Mapping Policy
Configure a group mapping policy to map groups and attributes that are retrieved from external identity
stores to ACS identity groups. When ACS processes a request for a user or host, this policy retrieves the
relevant identity group which can be used in authorization policy rules.
If you created an access service that includes a group mapping policy, you can configure and modify this
policy. You can configure a simple policy, which applies the same identity group to all requests; or, you
can configure a rule-based policy.
In the rule-based policy, each rule contains one or more conditions and a result. The conditions can be
based only on attributes or groups retrieved from external attribute stores, and the result is an identity
group within the identity group hierarchy. You can create, duplicate, edit, and delete rules within the
policy; and you can enable and disable them.
Caution If you switch between the simple policy and the rule-based policy pages, you will lose your previously
saved policy.
To configure a simple group mapping policy:
Step1 Select Access Policies > Access Services > service > Group Mapping, where service is the name of the
access service.
By default, the Simple Group Mapping Policy page appears. See Table 10-12 for field descriptions.
See Table10-13 for Rule-Base d Group Mapping Policy page field descriptions.
Table10-12 Simple Group Mapping Policy Page
Option Description
Policy type Defines the type of policy to configure:
Simple—Specifies the results to apply to all requests.
Rule-based—Configure rules to apply different results depending on the r equest.
Caution If you switch between policy types, you will lose your previously saved policy configuration.
Identity Group Identity group to which attributes and groups from all requests are mapped.