Cisco Systems OL-24201-01 manual Attributes of Management Hierarchy

Chapter 8 Managing Users and Identity Stores

Managing Internal Identity Stores

•Policies and Identity Attributes, page 3-17

•Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18

Management Hierarchy

Management Hierarchy enables the administrator to give access permission to the internal users or internal hosts according to their level of hierarchy in the organizations management hierarchy. A hierarchical label is assigned to each device that represents the administrative location of that particular device within the organizations management hierarchy.

For example, the hierarchical label All:US:NY:MyMgmtCenter indicates that the device is in a MyMgmtcenter under NY city which is in U.S. The administrator can give access permission to the users based on their assigned level of hierarchy. For instance, if a user has an assigned level as All:US:NY, then that user is given permission when the user accesses the network through any device with a hierarchy that starts with All:US:NY. The same examples are applicable for internal hosts.

Attributes of Management Hierarchy

To use the Management Hierarchy feature, administrator needs to create the following attributes in the Internal Users Dictionary:

•ManagementHierarchy attribute—allows the administrator to define one or more hierarchies for each internal users or internal hosts. This attribute is of type string and the maximum character length is 256. See Creating, Duplicating, and Editing an Internal User Identity Attribute, page 18-10and Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13.

•UserIsInManagementHierarchy or HostIsInManagementHierarchy attribute—the value of this attribute is set to true when the hierarchy defined for the user or host equals or contained in the hierarchy defined for the network device and AAA clients. This attribute is of type Boolean and the default value is false. It is not displayed in the users or hosts page in ACS web interface. You can view this attribute only in the identity attributes dictionary list. See Creating, Duplicating, and Editing an Internal User Identity Attribute, page 18-10and Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13.

Configuring AAA Devices for Management Hierarchy

The management centers and the correlated customer names should be configured within a Management Hierarchy for each AAA client. Any Network Device Group can be used as a Management Hierarchy for a AAA client. The Network Device Group used for this is known as the Management Hierarchy Attribute. The administrator can create a new Network Device Group which will be used as Management Hierarchy. The Location hierarchy is an example of a Management Hierarchy attribute.

Example:

Location:All Locations:ManagementCenter1:Customer1

Configuring Users or Hosts for Management Hierarchy

A specific level of access is defined to represent the top-most node in the Management Hierarchy assigned for each user or a host. This level is defined in the user’s “ManagementHierarchy” attribute. Total value length is limited to 256 characters.