Chapter 10 Managing Access Policies

Customizing a Policy

Policy Creation Flow—Next Steps

Access Service Policy Creation, page 10-4

Service Selection Policy Creation, page 10-4

Access Service Policy Creation

After you create the basic elements, you can create an access policy that includes identity groups and privileges. For example, you can create an access service for device administration, called NetOps, which contains authorization and authentication policies that use this data:

Users in the Supervisor identity group—Full privileges to all devices at all locations.

User in the East, HQ, West identity groups—Full privileges to devices in the corresponding East, HQ, West device groups.

If no match—Deny access.

Policy Creation Flow—Previous Steps

Network Definition and Policy Goals, page 10-2

Policy Elements in the Policy Creation Flow, page 10-3

Policy Creation Flow—Next Step

Service Selection Policy Creation, page 10-4

Service Selection Policy Creation

ACS provides support for various access use cases; for example, device administration, wireless access, network access control, and so on. You can create access policies for each of these use cases. Your service selection policy determines which access policy applies to an incoming request.

For example, you can create a service selection rule to apply the NetOps access service to any access request that uses the TACAC+ protocol.

Policy Creation Flow—Previous Steps

Network Definition and Policy Goals, page 10-2

Policy Elements in the Policy Creation Flow, page 10-3

Access Service Policy Creation, page 10-4

Customizing a Policy

ACS policy rules contain conditions and results. Before you begin to define rules for a policy, you must configure which types of conditions that policy will contain. This step is called customizing your policy. The condition types that you choose appear on the Policy page. You can apply only those types of conditions that appear on the Policy page. For information about policy conditions, see Managing Policy Conditions, page 9-1.

By default, a Policy page displays a single condition column for compound expressions. For information on compound conditions, see Configuring Compound Conditions, page 10-40.

 

User Guide for Cisco Secure Access Control System 5.3

10-4

OL-24201-01

Page 268
Image 268
Cisco Systems OL-24201-01 Customizing a Policy, Access Service Policy Creation, Service Selection Policy Creation, 10-4