Cisco Systems OL-24201-01 manual Policy Terminology, Term Description

Table 3-2describes the rule-based policy terminology.

Table 3-2

Rule-Based Policy Terminology

Term

Description

Access service

Sequential set of policies used to process access requests. ACS 5.x allows you to define multiple

access services to support multiple, independent, and isolated sets of policies on a single ACS

system.

There are two default access services: one for device administration (TACACS+ based access to the

device shell or CLI) and one for network access (RADIUS-based access to network connectivity).

Policy element

Global, shared object that defines policy conditions (for example, time and date, or custom

conditions based on user-selected attributes) and permissions (for example, authorization profiles).

The policy elements are referenced when you create policy rules.

Authorization profile

Basic permissions container for a RADIUS-based network access service, which is where you define

all permissions to be granted for a network access request.

VLANs, ACLs, URL redirects, session timeout or reauthorization timers, or any other RADIUS

attributes to be returned in a response, are defined in the authorization profile.

Shell profile

Basic permissions container for TACACS+ based device administration policy. This is where you

define permissions to be granted for a shell access request.

IOS privilege level, session timeout, and so on are defined in the shell profile.

Command set

Contains the set of permitted commands for TACACS+ based, per-command authorization.

Policy

Set of rules that are used to reach a specific policy decision. For example, how to authenticate and

what authorization to grant. For any policies that have a default rule, a policy is a first-match rules

table with a default rule for any request which does not match any user-created rules.

Identity policy

ACS 5.3 policy for choosing how to authenticate and acquire identity attributes for a given request.

ACS 5.3 allows two types of identity policies: a simple, static policy, or a rules-based policy for

more complex situations.

Identity group mapping

Optional policy for mapping identity information collected from identity stores (for example, group

policy

memberships and user attributes) to a single ACS identity group.

This can help you normalize identity information and map requests to a single identity group, which

is just a tag or an identity classification. The identity group can be used as a condition in

authorization policy, if desired.

Authorization policy

ACS 5.3 policy for assigning authorization attributes for access requests. Authorization policy

selects a single rule and populates the response with the contents of the authorization profiles

referenced as the result of the rule.

Exception policy

Special option for authorization policy, which allows you to define separately the set of conditions

and authorization results for authorization policy exceptions and waivers. If defined, the exception

policy is checked before the main (standard) authorization policy.

Default rule

Catchall rule in ACS 5.3 policies. You can edit this rule to specify a default result or authorization

action, and it serves as the policy decision in cases where a given request fails to match the

conditions specified in any user-created rule.

OL-24201-01

3-3