User Based Authorization with ISE

I am trying to configure ISE to limit the activitiy of individual users once they have logged in from an authorized PC into our netowrk. We basically only want them to be able to connect to specific systems. Is ISE able to do this on a per user basis?

Yes.
One of the things you can do via your Authorization policy is to push a downloadable ACL (dACL) to the port (for wired users). For wireless users you can apply a pre-defined Airespace ACL from the WLC to the user session.

Similar Messages

User based authorization to create Purchase Orders out of Purchase Req.?

Hello,
I have the following requiment for my client:
User based authorization to create Purchase Orders out of Purchase Req.?
I am told the same can be achieved using same standard menu path in IMG/Customizing.
Please advise with the menu path and detials, Usefull answers will be rewarded.
Thanks

Using OMET Function Authorization, you can restrict users to create Purchase orders without Purchase Reqn.
Using OMET trxn code Create one Function Authorixation Called pr and in General Parameters tab Select the Field Selection and in Possible reference Objects Tab Mark the With ref to Prs check box and save.
Next, you've got to associate via SU01
Click Parameters, insert a new parameter id EFB to the authorization code.
Type in Parameters value you want e.g. XX
You have to assign the control for ALL the SAP buyers via thier SAP users id.
Logoff and login again. Then try to create a Purchase Order without a reference.
From Next time whenever you try to create with out referring PR it will not allow you to Save PO.
Regards,
Ashok

User based authorization

I have a question about role based authorization. Guess we have 100 transactions and 100 users. I know we have to create a new role for a new combination of transaction list. Ex: 1,2,3,4,14,15 is RoleA and 1,4,25,34 for RoleB and so on. What will it be If we have a really mixed authorization combination. Guess 15 users use A Role and 20 B Role. But we have a three new user. They mustn't use only two transaction in A Role. Now we came subject of my question. I don't want to create a new role for these users. Is it possible to restrict authorization? As if in same role but restricted to use these transactions. (without abap coding) In a clear expression user based transaction authorization, not role based.

Hi,
in my opinion that isn't possible without coding.
Sorry ;-(
Regards
Bernd

IronPort, user based filtering with MS terminal / Citrix?

Hi there,
Can someone tell me if the IronPort can handle user based filtering on MS terminalserver / Citrix (multi-user server) with AD-integration?
Thanks a lot.
Greets,
Norbert

If you're using transparent redirection on the Citrix boxes you can use
Use Cookie Surrogates
Turn on the "Virtual IP" feature in Citrix. (which really means Citrix is dealing with the problem, not the WSA)
The issue with cookie surrogates is that https traffic appears to be unauthenticated to the WSA and some applications can't deal with them. (check the help file on the box under "Understanding How Authentication Affects HTTPS and FTP over HTTP Requests")
How are you doing the redirection? If you're using explicit redirection, you can turn off surrogates for an identity and it does authentication that is session based...
The simplest would be Virtual IP on Citrix, since that looks the most like a regular workstation to a WSA...

Re: Permission-based authorization with JAAS

Actually, I am struggling on this topic also. Probably someone else could help
on this. If you only deal with WLS, one solution could be write your own RoleMapper.
When the RoleMapper is called, the subject/principal should be available, at that
time you could do DB search to find roles the principal belongs to and return
all the roles to WLS security manager. WLS take over from there to enforce the
access control defined in ejb-jar.
-John
"Natasha" <[email protected]> wrote:
>
That is very helpful, thank you very much, John!
What about dynamic role definition? Any thoughts on how I should go
about authorizing
based on specific permissions a user has? What I need, essentially,
is to have
only the relevant parts of a given page visible to a user with certain
permissions,
so I want to use JAAS to have a system that would check if the current
instance
of Subject is authorized for a particular action.
Natasha
"John Zhu" <[email protected]> wrote:
One thing you could do is to have all the client logs in through JNDI
lookup API.
And client's principal will be passed to the bean. Inside the bean's
method call
principal.getName() to retrieve the principal. After that you couldsearch
DB
to get ACL related to the principal, then enforce the security.
Principal principal = context.getCallerPrincipal();
logger.info("The principal name: "+principal.getName());
[email protected] (Natasha) wrote:
I need to implement an authorization model in which a user can be
authorized to view a certain page or a part of a page based on their
permissions. The trick is that the role definition is dynamic, andI
can not make a policy file ahead of time. Instead, I would like to
simply retrieve the users permissions and then allow access (or, say,
use a jsp tag to check if a certain part of the page should be
displayed) based of whether the user has the permission required, and
have a configuration file that defines the access policy by mapping
actions to permissions. I am trying to figure out whether I can use
JAAS and the Subject class for this, because all of the examples I
could find map actions to roles, rather than individual permissions.
Also, I am confused as to whether or not I would have to implement
my
own LoginModule if I need to authenticate against a database, in my
case, probably via using Weblogic entity beans. Sun tutorial states
that developers do not need to implement a LoginModule, but I do not
understand how I can do all that without it. I am using Weblogic 7.0
and Struts.
Any help will be greatly appreciated.
Natasha

Did u think about implementing your own AuthorizationProvider and using it in your
security realm. The AuthorizationProvider does the trick of verifying which resource
is being accessed and who can access it.
My only problem is that I am unable to find out how to make the Resource know
what instance it is...
"Natasha" <[email protected]> wrote:
>
I guess I have to see if anyone suggests an alternative, and then decide
whether
it is worth adapting JAAS instead of a quick homegrown solution, as it
seems like
in our case the biggest reason to adopt JAAS is it being the standard.
Thank you very much for your help, John!
Natasha.
"John Zhu" <[email protected]> wrote:
Actually, I am struggling on this topic also. Probably someone elsecould
help
on this. If you only deal with WLS, one solution could be write your
own RoleMapper.
When the RoleMapper is called, the subject/principal should be available,
at that
time you could do DB search to find roles the principal belongs to and
return
all the roles to WLS security manager. WLS take over from there to enforce
the
access control defined in ejb-jar.
-John
"Natasha" <[email protected]> wrote:
That is very helpful, thank you very much, John!
What about dynamic role definition? Any thoughts on how I should go
about authorizing
based on specific permissions a user has? What I need, essentially,
is to have
only the relevant parts of a given page visible to a user with certain
permissions,
so I want to use JAAS to have a system that would check if the current
instance
of Subject is authorized for a particular action.
Natasha
"John Zhu" <[email protected]> wrote:
One thing you could do is to have all the client logs in through JNDI
lookup API.
And client's principal will be passed to the bean. Inside the bean's
method call
principal.getName() to retrieve the principal. After that you couldsearch
DB
to get ACL related to the principal, then enforce the security.
Principal principal = context.getCallerPrincipal();
logger.info("The principal name: "+principal.getName());
[email protected] (Natasha) wrote:
I need to implement an authorization model in which a user can be
authorized to view a certain page or a part of a page based on their
permissions. The trick is that the role definition is dynamic, andI
can not make a policy file ahead of time. Instead, I would like
to
simply retrieve the users permissions and then allow access (or,say,
use a jsp tag to check if a certain part of the page should be
displayed) based of whether the user has the permission required,and
have a configuration file that defines the access policy by mapping
actions to permissions. I am trying to figure out whether I can
use
JAAS and the Subject class for this, because all of the examplesI
could find map actions to roles, rather than individual permissions.
Also, I am confused as to whether or not I would have to implementmy
own LoginModule if I need to authenticate against a database, in
my
case, probably via using Weblogic entity beans. Sun tutorial states
that developers do not need to implement a LoginModule, but I donot
understand how I can do all that without it. I am using Weblogic7.0
and Struts.
Any help will be greatly appreciated.
Natasha

User Based whitelist with SpamAssassin

Hello,
im currently setting up a IMS 5.2 with SpamAssassin as a spam filter.
The user should be able to switch the Spam filter on and off. If the filter is on, a check required if the sender (From:) address is within the AddressBook of the receiver of the email. The on/off information and the AddressBook are stored within LDAP. My question is how to configure the rewrite rules and the channels within the IMTA in order to check on/off and if the sender is in the address book of the receiver. Based on this check the mail should be processed by SpamAssassin or not.
tschneider74

I managed to have a ldap lookup for the receiver of the email within the rewrite rule.
The rewrite rule looks like this:
testdomain.com $U%testdomain.com@test_ts-$]ldap://ldaphost:449/ou=people,o=organization?spamenabled?sub?(mail=$[email protected])[daemon
dependent on the ldap value found for this search the test_ts-XXXdaemon channel is used.
But is there a way to use the sender and the receiver of the email within the ldapsearch in such a rewrite rule? In order to solve my task I need to take the receiver and search in the receivers address book for the sender of the email.

Per-device/per-user AAA authorization with Freeradius

Hi Folks
I'm using a Freeradius with local username database (no LDAP) for authentication.(working well)
I have various network devices in my network, and I would like to have custom authorization per user per device :
I would like to have 2 types of network admins, and 2 types of network devices, with the following rules :
-"Core devices" must be granted privilege level 15 for "Core admins"
-"Access devices" must be granted privilege level 15 for "Access admins" and "Core admins"
-"Core devices" must be granted privilege level 1 for "Access admins".
-There is now way "Access admins" can access to configuration mode on "Core devices" with enable command.
Any help and config example for freeradius and cisco side are very welcome
thanks
olivier

Hello Olivier,
I would like to suggest you to go to the below link . This document describes the procedure for Per-device user authentication.
http://wiki.freeradius.org/vendor/Cisco#Per-User-Privilege-Level
Hope this may help you

Permission-based authorization with JAAS

I need to implement an authorization model in which a user can be authorized to
view a certain page or a part of a page based on their permissions. The trick
is that the role definition is dynamic, and I can’t make a policy file ahead
of time. Instead, I would like to simply retrieve the users permissions and then
allow access (or, say, use a jsp tag to check if a certain part of the page should
be displayed) based of whether the user has the permission required, and have
a configuration file that defines the access policy by mapping actions to permissions.
I am trying to figure out whether I can use JAAS (at the risk of being strangled
by omni-present Michael Lee) and the Subject class for this, because all of the
examples I could find map actions to roles, rather than individual permissions.
Also, I am confused as to whether or not I would have to implement my own LoginModule
if I need to authenticate against a database, in my case, probably via using Weblogic
entity beans. Sun tutorial states that developers do not need to implement a
LoginModule, but I do not understand how I can do all that without it. I am using
Weblogic 7.0 and Struts.
Any help will be greatly appreciated.
Natasha

I need to implement an authorization model in which a user can be authorized to
view a certain page or a part of a page based on their permissions. The trick
is that the role definition is dynamic, and I can’t make a policy file ahead
of time. Instead, I would like to simply retrieve the users permissions and then
allow access (or, say, use a jsp tag to check if a certain part of the page should
be displayed) based of whether the user has the permission required, and have
a configuration file that defines the access policy by mapping actions to permissions.
I am trying to figure out whether I can use JAAS (at the risk of being strangled
by omni-present Michael Lee) and the Subject class for this, because all of the
examples I could find map actions to roles, rather than individual permissions.
Also, I am confused as to whether or not I would have to implement my own LoginModule
if I need to authenticate against a database, in my case, probably via using Weblogic
entity beans. Sun tutorial states that developers do not need to implement a
LoginModule, but I do not understand how I can do all that without it. I am using
Weblogic 7.0 and Struts.
Any help will be greatly appreciated.
Natasha

EAP Chaining user, machine, rsa with iSE

Hi,
Is there any way to configure the following using ISE and Anyconnect/NAM module:
eap-chaining:
1. USER auth, Machine fail = Internet (works)
2. User auth, Machine auth = limited corporate (works)
3. User auth, Machine auth, RSA auth = Full (not sure about this one)
Ideally we'd like the RSA prompts to appear on the successful completion of user/machine auth.
Alternatively can we prompt RSA, and it that fails still test User/Machine?
Thanks,

Please check the following document, will be helpful in your scenarios,
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf

User based Authorization for Documents

Hi All,
Is it possible to have following scenario?
1)
There is a folder A. Inside this folder there is a file abc.txt & xyz.txt.
Now User 1 & User 2 both has access to folder A.
User 1 can read / download the file abc.txt & xyz.txt
User 2 can see only the name of the file inside this folder, but he cant download this file. And he can read / download xyz.txt file.
and instead of user can it be given role based also???
like abc.txt can be downloaded only by R&D role and noth any other users.
The main perpose of this feature is to let user know there is a document stored in a particular folder but he can only see the name of this document.
Regards,
Purav

Hi Jitendar,
From permission we can do only read, write, read & write, Full control thats it.
see the scenario I have given.
User2 cant even read the file, he can only see the name of that file.
I have seen the KM Permission link http://help.sap.com/saphelp_nw04/helpdata/en/4c/9d953fc405330ee10000000a114084/frameset.htm
but still counldnt find the solution to my scenario.
Regards,
Purav

Hierarchy authorization with variables of type exit

Hi all,
I am trying to implement hierarchy based authorizations with variables. After collecting information from the SAP documentation and this forum, I think I know more or less how to do it, but it's not working and it has me very confused.
These are the steps I have followed:
- From RSSM, I have created a hierarchy authorization object including my characteristic and 0TCTAUTHH
- From RSSM again, I have created a hierarchy authorization pointing to the node $ZG_V_008
- From the Query designer, I have created a hierarchy node variable of processing type customer exit ZG_V_008 (are any special settings needed here?)
- From the Query designer, I have created <b>another</b> hierarchy node variable of processing type authorization, and I have used this variable to restrict the hierarchy for my characteristic
- I have edited the EXIT_SAPLRRS0_001 to watch for I_STEP = 0 and give values to ZG_V_008 (we'll get to my code later in case we solve this issue first
It is my understanding that with this setup, the user exit will be called to process the value of ZG_V_008 in I_STEP = 0, however, when debugging, I don't see any calls for the function with I_STEP = 0.
What have I done wrong?
Thanks a lot in advance.
Guillermo

Thanks, Jimmy, but that does not help much: my problem is that my user exit is not evaluated with I_STEP=0, but there are no error messages or anything like that.
I have created a test user <b>without</b> a developer role to see if that could have any impact, but it's still not working.
Any ideas?

Limit the number of session per user in the Wired dot1x environment with ISE 1.2

Hello,
I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
I need to check if this feature is available or not to solve the following scenario:
I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
The case, that I need to deny the same user to connect on a different machine with the same credentials.
The ISE itself does not have this feature currently, the only feature available is to limit the number of sessions for the guest user.
Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
Thanks.

limit number of session per user using wired dot1x is not available in 1.3

IBNS with ISE, authorization issue

I'm running the 90-day ISE demo and trying to configure IBNS with it. I love the feel of the interface and almost instantly had a set of policies up and working fine. My issue is this:
I have an authorization service for machines so before a user logs in, their machine will authenticate to a list of machines in AD. This will give them guest/limited access.
I have a second authorization service for users. Once the user authenticates to AD, they should get access based on user group or other AD attributes. However once the user authenticates to AD, the previous authorization service that they had before is still enforced. The user is stuck with machine authorization. I figured that it was because the setting was "First Matched Rule Applies" so I switched to Multiple and now after the login, it still matches machine authorization but it now also matches on Default which will deny access...how can something match both authorized and default?
Because of that I have to make the machine authorization setting open to everything. Can anyone provide any guidance on this issue as config examples and such aren't out yet for ISE and the admin guide wasn't very helpful with this particular issue.
Thanks
Xavier

The problem is that when the user is authorised after the machine is authorised, he still gets Machine Access (number 6). The user is supposed to get Engineer Access based on the IBNS User Authorisation Rule in number 1.
Comparing 5 and 6, the username for 5 is host/machineName/domain which should be granted Machine Access based on how AD is set up (with a list of hostnames of Domain Computers). In number 6 the username is domain/username which indicates it's a domain user and so he should get engineer access. For some reason, ISE doesn't want to match with the new authorisation rule and just keeps the one that I had before.

BI Bex Query prompt based on User's Authorization....

Hi
In BI, I created 1 BEx Query based on Authorization. If a user runs the query, it prompts for 'Customer Name' to get data of particular customer. And Customer values are populated in the prompt based on User's Authorization.
For example:
User1 is authorized to see data of Customer1 & Customer2. So, Query prompt will show 2 values: 'Customer1' & 'Customer2'.
But User2 is authorized to see data of Customer1, so Query prompt will show 'Customer1' only.
I created 2 variables on Customer field:
1) Authorization Variable in Filter Section
2) Manual, Single Entry, Mandatory on Default Value section.
My Requirement:
If user is authorized to link with only 1 Customer, he should not get prompt & on the background prompt value should be populated from his authorization value. But if user is authorized to see multi-customers, then prompt should appear.
If possible pls. provide some suggestions....
Thanks...

Yes, this can be done.
but there is little work around.. Using guided navigations
1. Create a report with column fx as case when 1=0 then markets.region else user() end
2. apply filter on this column is equal to User_1
3. Create another report with column fx as case when 1=0 then markets.region else user() end
4. apply filter on this column is equal to User_2
5. Now add all your prompts to dashboard, but each prompt should in each section object of dashboard.
6. For first section click on section properties, go to Guided Navigation...
7. Browse Source Request as first report.. and keep If request returns rows selected.
8. Repeat above step for another section.. but this time browse 2nd report.
9. Just save dashboard.
Check now..
Hope you understood..
Regards
Kishore Guggilla
Edited by: Kishore Guggilla on Feb 18, 2009 12:57 PM

Broadcast based on user's authorization

Hi
I have to broadcast the reports based on the user authorization. What are the possible ways of achieving this?
1. Is it possible to execute the report only once and send the reports to different users based on thier authorization?
2. For example, there are four sales organization and i want to send reports to users with only the sales org data he/she authorized to see. For this, do we have to create four user roles restricting it to the sales org? if any other way, please suggest.
3. Is it possible to apply user's authorization on the file created by broadcasting? Basically i want to execute the report only once through broadcasting and apply the user's authorization and then burst the report data to the different users based on thier authorization.
Thanks in advance.
Regards
Sadeesh

Dear Sadeesh,
We have teh similar Req in our project. We need to Broadcast BI Repotrt to Multiple User based on Their Authorization which has been maintained in BI. Do you have solution for this? Do we need to make some necesssary Settings in User Profile?
Thanks In Adv.
Deepika

User Based Authorization with ISE

Similar Messages

Maybe you are looking for