Chapter 3 ACS 5.x Policy Model

Overview of the ACS 5.x Policy Model

Types of Policies

Table 3-3describes the types of policies that you can configure in ACS.

The policies are listed in the order of their evaluation; any attributes that a policy retrieves can be used in any policy listed subsequently. The only exception is the Identity group mapping policy, which uses only attributes from identity stores.

Table 3-3

ACS Policy Types

 

 

 

 

 

 

 

 

 

 

 

 

 

Can Contain

Simple1 and

Available

 

 

 

 

Exception

Dictionaries for

Available Result

 

Policy

 

Policy?

Rule-Based?

Conditions

Types

Attributes Retrieved

 

 

 

 

 

 

 

Service Selection

 

No

Yes

All except

Access Service

Determines the access

 

 

identity store

 

 

 

 

related

 

 

service to apply to an

 

 

 

 

 

 

 

 

 

incoming request.

 

 

 

 

 

 

 

 

 

 

 

 

Identity

 

No

Yes

All except

Identity Source,

Identity Attributes;

Determines the identity

 

 

identity store

Failure options

Identity Group for

 

 

related

 

internal ID stores

source for authentication.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Identity Group Mapping

No

Yes

Only identity

Identity Group

Identity Group for

Defines mapping attributes

 

 

store dictionaries

 

external ID stores

 

 

 

 

 

and groups from external

 

 

 

 

 

identity stores to ACS

 

 

 

 

 

identity groups.

 

 

 

 

 

 

 

 

 

 

 

 

Network Access Authorization

Yes

Rule-based

All dictionaries

Authorization

Determines authorization

 

only

 

Profile, Security

 

 

 

 

Group Access

 

and permissions for

 

 

 

 

 

 

 

 

 

network access.

 

 

 

 

 

 

 

 

 

 

 

 

Device Administration

Yes

Rule-based

All dictionaries

Shell Profile,

Authorization

 

 

only

 

Command Set

 

Determines authorization

 

 

 

 

 

and permissions for device

 

 

 

 

 

administration.

 

 

 

 

 

 

 

 

 

 

 

 

 

1. A simple policy specifies a single set of results that ACS applies to all requests; it is in effect a one-rule policy.

User Guide for Cisco Secure Access Control System 5.3

 

OL-24201-01

3-5

 

 

 

Page 47
Image 47
Cisco Systems OL-24201-01 manual Types of Policies