Cisco Systems OL-24201-01 manual Managing Policy Elements, Managing Policy Conditions

C H A P T E R 9

Managing Policy Elements

A policy defines the authentication and authorization processing of clients that attempt to access the ACS network. A client can be a user, a network device, or a user associated with a network device.

Policies are sets of rules. Rules contain policy elements, which are sets of conditions and results that are organized in rule tables. See Chapter 3, “ACS 5.x Policy Model” for more information on policy design and how it is implemented in ACS.

Before you configure your policy rules, you must create the policy elements, which are the conditions and results to use in those policies. After you create the policy elements, you can use them in policy rules. See Chapter 10, “Managing Access Policies” for more information on managing services, policies, and policy rules.

These topics contain.

•Managing Policy Conditions, page 9-1

•Managing Authorizations and Permissions, page 9-17

•Creating, Duplicating, and Editing Downloadable ACLs, page 9-31

Note When Cisco Security Group Access license is installed, you can also configure Security Groups and Security Group Access Control Lists (SGACLs), which you can then use in Security Group Access authorization policies. For information about configuring security groups for Security Group Access, see Creating Security Groups, page 4-24.

Managing Policy Conditions

You can configure the following items as conditions in a rule table:

•Request/Protocol Attributes—ACS retrieves these attributes from the authentication request that the user issues.

•Identity Attributes—These attributes are related to the identity of the user performing a request. These attributes can be retrieved from the user definition in the internal identity store or from user definitions that are stored in external repositories, such as LDAP and AD.

•Identity Groups—ACS maintains a single identity group hierarchy that is used for all types of users and hosts. Each internal user or host definition can include an association to a single identity group within the hierarchy.

User Guide for Cisco Secure Access Control System 5.3