Cisco Systems OL-24201-01 manual Configuring a Group Mapping Policy, 10-26

Configure a group mapping policy to map groups and attributes that are retrieved from external identity

stores to ACS identity groups. When ACS processes a request for a user or host, this policy retrieves the

relevant identity group which can be used in authorization policy rules.

If you created an access service that includes a group mapping policy, you can configure and modify this

policy. You can configure a simple policy, which applies the same identity group to all requests; or, you

can configure a rule-based policy.

In the rule-based policy, each rule contains one or more conditions and a result. The conditions can be

based only on attributes or groups retrieved from external attribute stores, and the result is an identity

group within the identity group hierarchy. You can create, duplicate, edit, and delete rules within the

policy; and you can enable and disable them.

Caution

If you switch between the simple policy and the rule-based policy pages, you will lose your previously

saved policy.

To configure a simple group mapping policy:

Step 1

Select Access Policies > Access Services > service > Group Mapping, where service is the name of the

access service.

By default, the Simple Group Mapping Policy page appears. See Table 10-12for field descriptions.

See Table 10-13for Rule-Based Group Mapping Policy page field descriptions.

Table 10-12

Simple Group Mapping Policy Page

Option

Description

Policy type

Defines the type of policy to configure:

• Simple—Specifies the results to apply to all requests.

• Rule-based—Configure rules to apply different results depending on the request.

Caution If you switch between policy types, you will lose your previously saved policy configuration.

Identity Group

Identity group to which attributes and groups from all requests are mapped.

User Guide for Cisco Secure Access Control System 5.3

10-26

OL-24201-01