Authorization Exception Rule

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets » XXX » Authorization Policy - Local Exceptions

Diagram

Classes

policy_sets (ise.device_administration)

Name	Type	Constraint	Mandatory	Default Value
authorization_exception_rules	List	`[authorization_exception_rules]`	No

authorization_exception_rules (ise.device_administration.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d\_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No

condition (ise.device_administration.policy_sets.authorization_exception_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_exception_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_exception_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No

Examples

Example-1 Authorization Exception Rule for DNAC Devices

This example defines an enabled authorization exception rule named “DNACException” within the “Global Policy” device administration policy set. The rule applies to devices identified by the attribute “DNAC” equal to “DNAC Devices” and assigns the “Default Shell Profile” as the authorization profile.

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        description: Global policy
        state: enabled
        service_name: Default Network Access
        authorization_exception_rules:
          - name: DNACException
            state: enabled
            condition:
              type: ConditionAttributes
              dictionary_name: DEVICE
              attribute_name: DNAC
              operator: equals
              attribute_value: DNAC Devices
            profile: Default Shell Profile

Example-2 Authorization Exception Rule for User3 with DenyAllCommands

This example defines an enabled authorization exception rule named “User3” within the “Global Policy” device administration policy set. The rule applies to TACACS users where the User attribute equals “User3.” It assigns the “Default Shell Profile” and restricts commands using the “DenyAllCommands” command set. The policy set is active with the service name “Default Network Access.”

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        description: Global policy
        state: enabled
        service_name: Default Network Access
        authorization_exception_rules:
          - name: User3
            state: enabled
            condition:
              type: ConditionAttributes
              is_negate: false
              dictionary_name: TACACS
              attribute_name: User
              operator: equals
              attribute_value: User3
            profile: Default Shell Profile
            command_sets:
              - DenyAllCommands

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets » XXX » Authorization Policy - Local Exceptions

Diagram

Classes

policy_sets (ise.device_administration)

Name	Type	Constraint	Mandatory	Default Value
authorization_exception_rules	List	`[authorization_exception_rules]`	No

authorization_exception_rules (ise.device_administration.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No

condition (ise.device_administration.policy_sets.authorization_exception_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_exception_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_exception_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        authorization_exception_rules:
          - name: User3
            default: false
            state: enabled
            condition:
              type: ConditionAttributes
              is_negate: false
              dictionary_name: TACACS
              attribute_name: User
              operator: equals
              attribute_value: User3
            profile: Default Shell Profile
            command_sets:
              - DenyAllCommands

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets » XXX » Authorization Policy - Local Exceptions

Diagram

Classes

policy_sets (ise.device_administration)

Name	Type	Constraint	Mandatory	Default Value
authorization_exception_rules	List	`[authorization_exception_rules]`	No

authorization_exception_rules (ise.device_administration.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No

condition (ise.device_administration.policy_sets.authorization_exception_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_exception_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_exception_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        authorization_exception_rules:
          - name: User3
            default: false
            state: enabled
            condition:
              type: ConditionAttributes
              is_negate: false
              dictionary_name: TACACS
              attribute_name: User
              operator: equals
              attribute_value: User3
            profile: Default Shell Profile
            command_sets:
              - DenyAllCommands

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets » XXX » Authorization Policy - Local Exceptions

Diagram

Classes

policy_sets (ise.device_administration)

Name	Type	Constraint	Mandatory	Default Value
authorization_exception_rules	List	`[authorization_exception_rules]`	No

authorization_exception_rules (ise.device_administration.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No

condition (ise.device_administration.policy_sets.authorization_exception_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_exception_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_exception_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        authorization_exception_rules:
          - name: User3
            default: false
            state: enabled
            condition:
              type: ConditionAttributes
              is_negate: false
              dictionary_name: TACACS
              attribute_name: User
              operator: equals
              attribute_value: User3
            profile: Default Shell Profile
            command_sets:
              - DenyAllCommands

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d\_\-\. \(\)]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No