Cisco Bug: CSCvv09981 - RBAC- Custom Read only Policies and RO groups when created provides write access to policy sets
Jul 24, 2020
- Cisco Identity Services Engine
Known Affected Releases
Symptom: 1. Created a custom Read only RBACTest group with a RBACTest user 2. Created Data Access Permission - RBACReadOnlyData Under Administration > Admin Access > Permissions > Data Access -- Provided Read Only Access privileges to all the groups 3. Created a custom Policy -- Mapped this RBACReadOnlyData custom group 4. Logging into ISE with RBACTest user and we observe: -- The Network devices, Network device group, Deployment tab all have Read only access -- Policy sets- RADIUS or Device admin policy sets have write access (can be modified) When we use the default Read only group present under RBAC policies works as expected -- Mapped the RBACTest user under the "Read Only Admin" group -- All the policy sets have read only access (not modifiable) Note: You cannot create custom RBAC policy using the "Read Only Admin" group. as per the document: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/Workflow/b_overview_2_4.html#Read_Only_Admin_Policy Conditions: Issue reproduced on ISE version 2.6. Issue reported on latest ISE 2.7 as well.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases