Customization Admin
|
Manage
sponsor, guest, and personal devices portals
|
-
Configure guest and sponsor access.
-
Manage
guest access settings.
-
Customize end-user web portals.
|
|
Helpdesk Admin
|
Query monitoring and
troubleshooting operations
|
|
Cannot create, update, or
delete reports, troubleshooting flows, live authentications, or alarms
|
Identity Admin
|
|
-
Add, edit, and delete user
accounts and endpoints
-
Add, edit, and delete
identity sources
-
Add, edit, and delete
identity source sequences
-
Configure general settings
for user accounts (attributes and password policy)
-
View the Cisco ISE dashboard,
livelogs, alarms, and reports.
-
Run all troubleshooting
flows.
|
Cannot perform any policy
management or system-level configuration tasks in Cisco ISE
|
MnT Admin
|
Perform all monitoring and
troubleshooting operations.
|
-
Manage all reports (run,
create, and delete)
-
Run all troubleshooting flows
-
View the Cisco ISE dashboard
and livelogs
-
Manage alarms (create,
update, view, and delete)
|
Cannot perform any policy
management or identity management or system-level configuration tasks in Cisco
ISE
|
Network Device Admin
|
Manage Cisco ISE network
devices and network device repository.
|
-
Read and write permissions on
network devices
-
Read and write permissions on
NDGs and all network resources object types
-
View the Cisco ISE dashboard,
livelogs, alarms, and reports
-
Run all troubleshooting flows
|
Cannot perform any policy
management or identity management or system-level configuration tasks in Cisco
ISE
|
Policy Admin
|
Create and manage policies
for all Cisco ISE services across the network that are related to
authentication, authorization, posture, profiler, client provisioning.
|
-
Read and write permissions
on all the elements used in policies, such as authorization profiles, NDGs, and
conditions
-
Read and write permissions
on identities, endpoints, and identity groups (user identity groups and
endpoint identity groups)
-
Read and write permissions
on services policies and settings
-
View the Cisco ISE
dashboard, livelogs, alarms, and reports
-
Run all troubleshooting
flows
|
Cannot perform any identity
management or system-level configuration tasks in Cisco ISE
|
RBAC Admin
|
All tasks under the
Operations menu except for the
Endpoint Protection
Services
Adaptive Network
Control, and partial access to some menu items under Administration
|
-
View the authentication
details
-
Enable or disable
Endpoint Protection
Services
Adaptive Network
Control
-
Create, edit, and delete
alarms; generate and view reports; and use Cisco ISE to troubleshoot problems
in your network
-
Read permissions on
administrator account settings and admin group settings
-
View permissions on admin
access and data access permissions along with the RBAC policy page.
-
View the Cisco ISE
dashboard, livelogs, alarms, and reports
-
Run all troubleshooting
flows
|
Cannot perform any identity
management or system-level configuration tasks in Cisco ISE
|
Super Admin
|
All Cisco ISE administrative
functions. The default administrator account belongs to this group.
|
Create, read, update, delete,
and eXecute (CRUDX) permissions on all Cisco ISE resources.
Note
|
The super admin user cannot
modify the default system-generated RBAC policies and permissions. To do this,
you must create new RBAC policies with the necessary permissions based on your
needs, and map these policies to any admin group.
|
|
|
System Admin
|
All Cisco ISE configuration
and maintenance tasks.
|
Full access (read and write
permissions) to perform all activities under the Operations tab and partial
access to some menu items under the Administration tab.
-
Read permissions on
administrator account settings and administrator group settings
-
Read permissions on admin
access and data access permissions along with the RBAC policy page
-
Read and write permissions
for all options under the Administration > System menu
-
View the authentication
details
-
Enable or disable
Endpoint Protection
Services
Adaptive Network
Control
-
Create, edit, and delete
alarms; generate and view reports; and use Cisco ISE to troubleshoot problems
in your network
-
|
Cannot perform any policy
management or system-level configuration tasks in Cisco ISE
|
External RESTful Services
(ERS) Admin
|
Full access to all ERS API
requests such as GET, POST, DELETE, PUT
|
|
The role is meant only for
ERS authorization supporting Internal Users, Identity Groups, Endpoints,
Endpoint Groups, and SGT
|
External RESTful Services
(ERS) Operator
|
Read-only access to ERS
API, only GET
|
|
The role is meant only for
ERS authorization supporting Internal Users, Identity Groups, Endpoints,
Endpoint Groups, and SGT
|