16-15
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter16 Managing System Ad ministrators
Working with Administrative Access Control
The AAC service processes these two policies in a sequence. You need to configure both the
Administrator identity policy and the Administrator authorization policy. The default for both the
policies are:
Identity policy—The default is Internal Identity Store.
Authorization policy—The default is Deny Access.
The AAC service supports only the PAP authentication type. Only the Super Admin is permitted to
configure administrator access control.
While upgrading the ACS application to ACS 5.4, AAC undergoes the following changes:
Single AAC service is automatically created during upgrade.
The identity policy in AAC service is set to Administrators Internal Identity Store.
All existing administrators are validated with a static role assignment.
All administrators with the Super Admin role are automatically set as the recovery acc ount.
After upgrading the ACS application to 5.4, if the administra tor accounts are not updated, the upgraded
administrator accounts are authenticated against the administrator internal identity store and get their
roles through static assignment. While restoring the backup when upgrading, ACS 5.4 takes care of
upgrading the schema files as well as the data.
Note Administrator accounts created in external identity stores cannot access CARS mode of ACS CLI. But,
they can access acs-config mode of ACS CLI.
This section contains the following topics:
Administrator Identity Policy, page 16-15
Administrator Authorization Policy, page16-19
Administrator Identity Policy
The identity policy in administrative access control defines the identity source that ACS uses for
authentication and attribute retrieval. The attributes and groups can be retrieved only from the external
database. ACS can use the retrieved attributes only in subsequent authorization policies.
The AAC service supports two types of identity policies. They are:
Single result selection
Rule-based result selection
Super Admin can configure and modify this policy. You can configure a simple policy, which applies the
same identity source for authentication of all requests, or you can configure a rule-based identity policy.
The supported identity methods for a simple policy are:
Deny Access—Access to the user is denied and no authenticat ion is performed.
Identity Store—A single identity store.
You can select any one of the following identity stores:
Internal Administrator ID store
Active Directory ID store
LDAP ID store