Cisco Systems OL-24201-01 manual Policy Creation Flow, 10-1

C H A P T E R 10

Managing Access Policies

In ACS 5.3, policy drives all activities. Policies consist mainly of rules that determine the action of the policy. You create access services to define authentication and authorization policies for requests. A global service selection policy contains rules that determine which access service processes an incoming request.

For a basic workflow for configuring policies and all their elements, see Flows for Configuring Services and Policies, page 3-19. In general, before you can configure policy rules, you must configure all the elements that you will need, such as identities, conditions, and authorizations and permissions.

For information about:

•Managing identities, see Chapter 8, “Managing Users and Identity Stores.”

•Configuring conditions, see Managing Policy Elements, page 9-1.

•Configuring authorizations and permissions, see Configuring System Operations, page 17-1. This section contains the following topics:

•Policy Creation Flow, page 10-1

•Customizing a Policy, page 10-4

•Configuring the Service Selection Policy, page 10-5

•Configuring Access Services, page 10-11

•Configuring Access Service Policies, page 10-21

•Configuring Compound Conditions, page 10-40

•Security Group Access Control Pages, page 10-45

•Maximum User Sessions, page 10-50

For information about creating Egress and NDAC policies for Cisco Security Group Access, see Configuring an NDAC Policy, page 4-25.

Policy Creation Flow

Policy creation depends on your network configuration and the degree of refinement that you want to bring to individual policies. The endpoint of policy creation is the access service that runs as the result of the service selection policy. Each policy is rule driven.