Cisco ISE comes with a set of predefined data access permissions. These permissions enable multiple administrators to havethe data access permissions within the same user population. You can enable or restrict the use of data access permissionsto one or more admin groups. This process allows autonomous delegated control to administrators of one admin group to reusedata access permissions of the chosen admin groups through selective association. Data access permissions range from fullaccess to no access for viewing selected admin groups or network device groups. RBAC policies are defined based on the administrator(RBAC) group, menu access, and data access permissions. You should first create menu access and data access permissions andthen create an RBAC policy that associates an admin group with the corresponding menu access and data access permissions.The RBAC policy takes the form: If admin_group=Super Admin then assign SuperAdmin Menu Access permission + SuperAdmin DataAccess permission. Apart from the predefined data access permissions, Cisco ISE also allows you to create custom data accesspermissions that you can associate with an RBAC policy.

There are three data access permissions, namely, Full Access, No Access, and Read Only access that can be granted to admingroups.

The Read Only permission can be granted to the following admin groups:

Administration > Admin Access > Administrators > Admin Groups

Administration > Groups > User Identity Group

Administration > Groups > Endpoint Identity Groups

Network Visibility > Endpoints

Administration > Network Resources > Network Device Groups

Administration > Network Resources > Network Devices

Administration > Identity Management > Identities

Administration > Identity Management > Groups > User Identity Groups

Administration > Identity Management > Groups > Endpoint Identity Groups

If you have read-only permission for a data type (for example, Endpoint Identity Groups), you will not be able to performCRUD operations on that data type. If you have read-only permission for an object (for example, GuestEndpoints), you cannotperform edit or delete operations on that object.

The following image shows how data access privileges are applied at the second-level or third-level menu that contains additionalsubmenus or options for different RBAC groups.

Label

Description

1

Denotes full access for the User Identity Groups data type.

2

Denotes that Endpoint Identity Groups derive the maximum permission (full access) that is granted to its child (Asia, in the example shown in the figure).

3

Denotes that there is no access for the object (blocked list).

4

Denotes that the parent (Continents) derives the maximum access permission granted to its child (Asia).

5

Denotes read-only access for the object (Australia).

6

Denotes that when full access is granted to the parent (Network Device Groups), it results in the children automatically inheriting permissions.

7

Denotes that when full access is granted to the parent (Asia), it results in the objects inheriting the Full Access permission,unless permissions are explicitly granted to the objects.

The following table shows the default data access permissions for different admin groups.

√: Denotes that a user has full access

x: Denotes that a user has no access

!: Denotes that a user has read-only access

Menus and Submenus

Super Admin Data Access

Policy Admin Data Access

Identity Admin Data Access

Network Admin Data Access

System Admin Data Access

RBAC Admin Data Access

Customization Admin Data Access

TACACS+ Admin Data Access

Read Only Admin Data Access

Admin Groups

√

x

x

x

√

√

x

x

!

Admin Groups > Super Admin

√

x

x

x

√

√

x

x

!

Admin Groups > Policy Admin

√

x

x

x

√

√

x

x

!

Admin Groups > Helpdesk Admin

√

x

x

x

√

√

x

x

!

Admin Groups > Identity Admin

√

x

x

x

√

√

x

x

!

Admin Groups > Network Device Admin

√

x

x

x

√

√

x

x

!

Admin Groups > System Admin

√

x

x

x

√

√

x

x

!

Admin Groups > RBAC Admin

√

x

x

x

√

√

x

x

!

Admin Groups > MnT Admin

√

x

x

x

√

√

x

x

!

Admin Groups > ERS Admin

√

x

x

x

√

√

x

x

!

Admin Groups > ERS Operator

√

x

x

x

√

√

x

x

!

Admin Groups > Customization Admin

√

x

x

x

√

√

x

x

!

Admin Groups > TACACS+ Admin

√

x

x

x

√

√

x

x

!

Admin Groups > Read Only Admin

√

x

x

x

√

√

x

x

!

Admin Groups > Elevated System Admin

√

x

x

x

√

√

x

x

!

Admin Groups > SPOG Admin

√

x

x

x

√

√

x

x

!

Admin Groups > ERS Trustsec

√

x

x

x

√

√

x

x

!

User Identity Groups

√

√

√

x

x

x

√

√

!

User Identity Groups > GuestType_Weekly (default)

√

√

√

x

x

x

√

√

!

User Identity Groups > OWN_ACCOUNTS (default)

√

√

√

x

x

x

√

√

!

User Identity Groups > GROUP_ACCOUNTS (default)

√

√

√

x

x

x

√

√

!

User Identity Groups > GuestType_SocialLogin (default)

√

√

√

x

x

x

√

√

!

User Identity Groups > Employee

√

√

√

x

x

x

√

√

!

User Identity Groups > GuestType_Daily (default)

√

√

√

x

x

x

√

√

!

User Identity Groups > GuestType_Contractor (default)

√

√

√

x

x

x

√

√

!

User Identity Groups > ALL_ACCOUNTS (default)

√

√

√

x

x

x

√

√

!

Endpoint Identity Groups

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Blocked List

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > GuestEndpoints

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > RegisteredDevices

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Unknown

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Sony-Device

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Cisco-Meraki-Device

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Windows11-Workstation

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Apple-iDevice

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > BlackBerry

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Android

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Axis-Device

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Juniper-Device

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Epson-Device

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Synology-Device

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Vizio-Device

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Trendnet-Device

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Cisco-IP-Phone

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > OS_X_BigSur-Workstation

√

√

√

x

x

x

√

x

!

Endpoint Identity Groups > Profiled > Workstation

√

√

√

x

x

x

√

x

!

Network Device Groups

√

x

x

√

x

x

x

√

!

Network Device Groups > All Locations

√

x

x

√

x

x

x

√

!

Network Device Groups > All Locations > Asia

√

x

x

√

x

x

x

√

!

Network Device Groups > All Locations > Asia > India

√

x

x

√

x

x

x

√

!

Network Device Groups > Is IPSEC Device

√

x

x

√

x

x

x

√

!

Network Device Groups > Is IPSEC Device > Yes

√

x

x

√

x

x

x

√

!

Network Device Groups > Is IPSEC Device > No

√

x

x

√

x

x

x

√

!

Network Device Groups > All Device Types

√

x

x

√

x

x

x

√

!

Customization

NA

NA

NA

NA

NA

NA

√

NA

NA