3-11
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter3 ACS 5.x Policy Model
Access Services
Group Mapping Policy
The identity group mapping policy is a standard policy. Conditions can be based on attr ibutes or groups
retrieved from the external attribute stores only, or from certificates, and the result is an identity group
within the identity group hierarchy.
If the identity policy accesses the internal user or host identity store, then the identity group is set directly
from the corresponding user or host record. This processing is an implicit part of the group mapping
policy.
Therefore, as part of processing in the group mapping policy, the default rule is only applied if both of
the following conditions are true:
None of the rules in the group mapping table match.
The identity group is not set from the internal user or host record.
The results of the group mapping policy are stored in the IdentityGroup attribute in the System
Dictionary and you can include this attribute in policies by selecting the Identity Group condition.
Authorization Policy for Device Administration
Shell profiles determine access to the device CLI; command sets determine TACACS+ per command
authorization. The authorization policy for a device administration access service can contain a singl e
shell profile and multiple command sets.

Processing Rules with Multiple Command Sets

It is important to understand how ACS processes the command in the access request when the
authorization policy includes rules with multiple command sets. When a rule result contains multiple
command sets, and the rule conditions match the access request, ACS processes the command in the
access request against each command set in the rule:
1. If a command set contains a match for the command a nd its arguments, and the match has Deny
Always, ACS designates the command set as Commandset-DenyAlways.
2. If there is no Deny Always for a command match in a command set, ACS checks all the commands
in the command set sequentially for the first match.
If the first match has Perm it, ACS designates the command set as Commandset-Permit.
If the first match has Deny, ACS designates the command set as Commandset-Deny.
3. If there is no match and “Permit any command that is not in the table below” is not checked (default,)
ACS designates the command set as Commandset-Deny.
4. If there is no match and “Permit any command that is not in the table below” is checked, ACS
designates the command set as Commandset-Permit.
5. After ACS has analyzed all the command sets, it authorizes the command:
a. If ACS designated any command set as Commandset-DenyA lways, ACS denies the command.
b. If there is no Commandset-DenyAlways, ACS permits the command if any command set is
Commandset-Permit; otherwise, ACS denies the command.