3-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3 ACS 5.x Policy Model
Service Selection Policy
Related Topics
Policy Terminology, page 3-3
Authorization Profiles for Network Access, page 3-16

Exception Authorization Policy Rules

A common real-world problem is that, in day-to-day operations, you often need to grant policy waivers
or policy exceptions. A specific user might need special access for a short period of time; or, a user might
require some additional user permissions to cover for someone else who is on vacation.
In ACS, you can define an exception policy for an authorization policy. The exception policy contains a
separate set of rules for policy exception and waivers, which are typically ad hoc and temporary. The
exception rules override the rules in the main rule table.
The exception rules can use a different set of conditions and results from those in the main policy. For
example, the main policy might use Identity Group and Location as its conditions, while its related
exception policy might use different conditions
By default, exception policies use a compound condition and a time and date condition. The time and
date condition is particularly valuable if you want to make sure your exception rules have a definite
starting and ending time.
An exception policy takes priority over the main policy. The exception policy does not require its own
default rule; if there is no match in the exception policy, the main policy applies, which has its own
default rule.
You can use an exception to address a temporary change to a standard policy. For example, if an
administrator, John, in one group is on vacation, and an administrator, Bob, from another group is
covering for him, you can create an exception rule that will give Bob the same access permissions as
John for the vacation period.
Related Topics
Policy Terminology, page 3-3
Policy Conditions, page 3-16
Policy Results, page 3-16
Policies and Identity Attributes, page 3-17

Service Selection Policy

When ACS receives various access requests, it uses a service selection policy to process the request. ACS
provides you two modes of service selection:
Simple Service Selection, page 3-12
Rules-Based Service Selection, page 3-13

Simple Service Selection

In the simple service selection mode, ACS processes all AAA requests with just one access service and
does not actually select a service.