Filter
Top Products
8-19
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing Internal Identity Stores
• Policies and Identity Attributes, page 3-17
• Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18
Management Hierarchy
Management Hierarchy enables the administrator to give access permission to the internal users or
internal hosts according to their level of hierarchy in the organizations management hierarchy. A
hierarchical label is assigned to each device that represents the administrative location of that particular
device within the organizations management hierarchy.
For example, the hierarchical label All:US:NY:MyMgmtCenter indicates that the device is in a
MyMgmtcenter under NY city which is in U.S. The administrator can give access permission to the users
based on their assigned level of hierarchy. For instance, if a user has an assigned level as All:US:NY, then
that user is given permission when the user accesses the network through any device with a hierarchy
that starts with All:US:NY. The same examples are applicable for internal hosts.
Attributes of Management Hierarchy
To use the Management Hierarchy feature, administrator needs to create the following attributes in the
Internal Users Dictionary:
• ManagementHierarchy attribute—allows the administrator to define one or more hierarchies for
each internal users or internal hosts. This attribute is of type string and the maximum character
length is 256. See Creating, Duplicating, and Editing an Internal User Identity Attribute, page 18-10
and Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13.
• UserIsInManagementHierarchy or HostIsInManagementHierarchy attribute—the value of this
attribute is set to true when the hierarchy defined for the user or host equals or contained in the
hierarchy defined for the network device and AAA clients. This attribute is of type Boolean and the
default value is false. It is not displayed in the users or hosts page in ACS web interface. You can
view this attribute only in the identity attributes dictionary list. See Creating, Duplicating, and
Editing an Internal User Identity Attribute, page 18-10 and Creating, Duplicating, and Editing an
Internal Host Identity Attribute, page 18-13.
Configuring AAA Devices for Management Hierarchy
The management centers and the correlated customer names should be configured within a Management
Hierarchy for each AAA client. Any Network Device Group can be used as a Management Hierarchy for
a AAA client. The Network Device Group used for this is known as the Management Hierarchy
Attribute. The administrator can create a new Network Device Group which will be used as Management
Hierarchy. The Location hierarchy is an example of a Management Hierarchy attribute.
Example:
Location:All Locations:ManagementCenter1:Customer1
Configuring Users or Hosts for Management Hierarchy
A specific level of access is defined to represent the top-most node in the Management Hierarchy
assigned for each user or a host. This level is defined in the user’s “ManagementHierarchy” attribute.
Total value length is limited to 256 characters.