Chapter 3 ACS 5.x Policy Model

Service Selection Policy

Related Topics

Policy Terminology, page 3-3

Authorization Profiles for Network Access, page 3-16

Exception Authorization Policy Rules

Acommon real-world problem is that, in day-to-day operations, you often need to grant policy waivers or policy exceptions. A specific user might need special access for a short period of time; or, a user might require some additional user permissions to cover for someone else who is on vacation.

In ACS, you can define an exception policy for an authorization policy. The exception policy contains a separate set of rules for policy exception and waivers, which are typically ad hoc and temporary. The exception rules override the rules in the main rule table.

The exception rules can use a different set of conditions and results from those in the main policy. For example, the main policy might use Identity Group and Location as its conditions, while its related exception policy might use different conditions

By default, exception policies use a compound condition and a time and date condition. The time and date condition is particularly valuable if you want to make sure your exception rules have a definite starting and ending time.

An exception policy takes priority over the main policy. The exception policy does not require its own default rule; if there is no match in the exception policy, the main policy applies, which has its own default rule.

You can use an exception to address a temporary change to a standard policy. For example, if an administrator, John, in one group is on vacation, and an administrator, Bob, from another group is covering for him, you can create an exception rule that will give Bob the same access permissions as John for the vacation period.

Related Topics

Policy Terminology, page 3-3

Policy Conditions, page 3-16

Policy Results, page 3-16

Policies and Identity Attributes, page 3-17

Service Selection Policy

When ACS receives various access requests, it uses a service selection policy to process the request. ACS provides you two modes of service selection:

Simple Service Selection, page 3-12

Rules-Based Service Selection, page 3-13

Simple Service Selection

In the simple service selection mode, ACS processes all AAA requests with just one access service and does not actually select a service.

 

User Guide for Cisco Secure Access Control System 5.3

3-12

OL-24201-01

Page 54
Image 54
Cisco Systems OL-24201-01 manual Service Selection Policy, Simple Service Selection, Exception Authorization Policy Rules