Chapter 8 Managing Users and Identity Stores

Managing Internal Identity Stores

Identity Groups

You can assign each internal user to one identity group. Identity groups are defined within a hierarchical structure. They are logical entities that are associated with users, but do not contain data or attributes other than the name you give to them.

You use identity groups within policy conditions to create logical groups of users to which the same policy results are applied. You can associate each user in the internal identity store with a single identity group.

When ACS processes a request for a user, the identity group for the user is retrieved and can then be used in conditions in the rule table. Identity groups are hierarchical in structure.

You can map identity groups and users in external identity stores to ACS identity groups by using a group mapping policy.

Creating Identity Groups

To create an identity group:

Step 1 Select Users and Identity Stores > Identity Groups.

The Identity Groups page appears.

Step 2 Click Create. You can also:

Check the check box next to the identity group that you want to duplicate, then click Duplicate.

Click the identity group name that you want to modify, or check the check box next to the name and click Edit.

Click File Operations to:

Add—Adds identity groups from the import to ACS.

Update—Overwrites the existing identity groups in ACS with the list from the import.

Delete—Removes the identity groups listed in the import from ACS.

Click Export to export a list of identity groups to your local hard disk.

For more information on the File Operations option, see Performing Bulk Operations for Network Resources and Users, page 7-8.

The Create page or the Edit page appears when you choose the Create, Duplicate, or Edit option.

Step 3 Enter information in the following fields:

Name—Enter a name for the identity group. If you are duplicating an identity group, you must enter a unique name; all other fields are optional.

Description—Enter a description for the identity group.

Parent—Click Select to select a network device group parent for the identity group.

Step 4 Click Submit to save changes.

The identity group configuration is saved. The Identity Groups page appears with the new configuration. If you created a new identity group, it is located within the hierarchy of the page beneath your parent identity group selection.

User Guide for Cisco Secure Access Control System 5.3

8-6

OL-24201-01

 

 

Page 158
Image 158
Cisco Systems OL-24201-01 manual Creating Identity Groups, Select Users and Identity Stores Identity Groups