10-35
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter10 Managing Access Poli cies
Configuring Access Service Policies
Configuring Shell/Command Authorization Policies for Device Administration
When you create an access service and select a service policy structure for Device Administration, ACS
automatically creates a shell/command authorization policy. You can then create and modify policy
rules.
The web interface supports the creation of multiple command sets for device administration. With this
capability, you can maintain a smaller number of basic command sets. You can then choose the command
sets in combination as rule results, rather than maintaining all the combinations themselves in individual
command sets.
You can also create an authorization policy with an exception policy, which can override the standard
policy results. See Configuring Authorization Exception Policies, page 10-36.
For information about how ACS processes rules with multiple command sets, see Processing Rules with
Multiple Command Sets, page3-11.
Table10-19 Device Administration Authorization Exception Policy Page
Option Description
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit
count are written to the log, and the log entry includes an identification that the rule is monitor
only. The monitor option is especially useful for watching the results of a new rule.
Name Name of the rule.
Conditions
Identity Group Name of the internal identity group to which this is matching against.
NDG:name Network device group. The two predefined NDGs are Location and Device Type.
Condition Conditions that define the scope of the rule. To change the types of conditions that the rule uses, click
the Customize button. You must have previously defined the conditions that you want to use.
Results Displays the shell profile and command sets that will be applied when the corresponding rule is
matched.
You can customize rule results; a rule can determine the shell profile, the command sets, or both. The
columns that appear reflect the customization settings.
Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new
Conditions column appears in the Policy page for each cond ition that you add. You do not need to use
the same set of conditions and results as in the corresponding authorization policy.
Caution If you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 10-10.