Chapter 10 Managing Access Policies

Configuring Access Service Policies

Deleting Policy Rules, page 10-39

Related Topics

Viewing Identity Policies, page 10-21

Configuring a Session Authorization Policy for Network Access, page 10-29

Configuring a Session Authorization Policy for Network Access, page 10-29

Configuring Shell/Command Authorization Policies for Device Administration, page 10-34

Configuring Group Mapping Policy Rule Properties

Use this page to create, duplicate, or edit a group mapping policy rule to define the mapping of attributes and groups that are retrieved from external databases to ACS identity groups.

Step 1 Select Access Policies > Access Services > service > Group Mapping, then do one of the following:

Click Create.

Check a rule check box, and click Duplicate.

Click a rule name or check a rule check box, then click Edit.

Step 2 Complete the fields as described in Table 10-14:

Table 10-14 Group Mapping Rule Properties Page

Option

Description

General

Rule Name

Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;

 

all other fields are optional.

 

 

Rule Status

Rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Conditions

conditions

Conditions that you can configure for the rule. By default, the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page.

The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value.

If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 10-40.

Results

Identity Group

Identity group to which attributes and groups from requests are mapped.

 

User Guide for Cisco Secure Access Control System 5.3

10-28

OL-24201-01

Page 292
Image 292
Cisco Systems OL-24201-01 manual Configuring Group Mapping Policy Rule Properties, 10-28