Guest

Preview Tool

Cisco Bug: CSCvv09981 - RBAC- Custom Read only Policies and RO groups when created provides write access to policy sets

Last Modified

Jul 24, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.6(0.156) 2.7(0.901)

Description (partial)

Symptom:
1. Created a custom Read only RBACTest group with a RBACTest user
2. Created Data Access Permission - RBACReadOnlyData 
Under Administration > Admin Access > Permissions > Data Access
 -- Provided Read Only Access privileges to all the groups

3. Created a custom Policy 
 -- Mapped this RBACReadOnlyData custom group

4. Logging into ISE with RBACTest user and we observe:
-- The Network devices, Network device group, Deployment tab all have Read only access
-- Policy sets- RADIUS or Device admin policy sets have write access (can be modified)

When we use the default Read only group present under RBAC policies works as expected
-- Mapped the RBACTest user under the "Read Only Admin" group
-- All the policy sets have read only access (not modifiable)


Note: You cannot create custom RBAC policy using the "Read Only Admin" group.
as per the document:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/Workflow/b_overview_2_4.html#Read_Only_Admin_Policy

Conditions:
Issue reproduced on ISE version 2.6.

Issue reported on latest ISE 2.7 as well.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.