3-5
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter3 ACS 5.x Policy Model
Overview of the ACS 5.x Policy Model
Types of Policies
Table 3 -3 describes the types of policies that you can configure in ACS.
The policies are listed in the order of their evaluation; any attributes that a policy retrieves can be used
in any policy listed subsequently. The only exception is the Identity group mapping policy, which uses
only attributes from identity stores.
Tab le 3- 3 AC S P ol ic y Ty pe s
Policy
Can Contain
Exception
Policy?
Simple1 and
Rule-Based?
1. A simple policy specifies a single set of results that ACS applies to all requests; it is in effect a one-rule policy.
Available
Dictionaries for
Conditions
Available Result
Types Attributes Retrieved
Service Selection
Determines the access
service to apply to an
incoming request.
No Yes All except
identity store
related
Access Service
Identity
Determines the identity
source for authentication.
No Yes All except
identity store
related
Identity Source,
Failure options
Identity Attributes;
Identity Group for
internal ID stores
Identity Group Mapping
Defines mapping attributes
and groups from external
identity stores to ACS
identity groups.
No Yes Only identity
store dictionaries
Identity Group Identity Group for
external ID stores
Network Access Authorization
Determines authorization
and permissions for
network access.
Yes Rule-based
only
All dictionaries Authorization
Profile, Security
Group Access
Device Administration
Authorization
Determines authorization
and permissions for device
administration.
Yes Rule-based
only
All dictionaries Shell Profile,
Command Set