Authorization Rule

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets » XXX » Authorization Policy

Diagram

Classes

policy_sets (ise.device_administration)

Name	Type	Constraint	Mandatory	Default Value
authorization_rules	List	`[authorization_rules]`	No

authorization_rules (ise.device_administration.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d\_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No

condition (ise.device_administration.policy_sets.authorization_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No

Examples

Example-1 Authorization Rule Allowing User1 with Show Command Access

This example defines an authorization rule within the Global Policy of device administration that specifically allows a user named “User1” to access the network device. The rule is enabled and matches when the TACACS user attribute equals “User1.” Upon matching, the user is assigned the “Default Shell Profile” and granted the command set “AllowShowCommands,” which permits execution of show commands. This configuration is useful for granting limited read-only access to specific users in the device administration policy framework.

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        authorization_rules:
          - name: AllowingUser1
            state: enabled
            condition:
              type: ConditionAttributes
              is_negate: false
              dictionary_name: TACACS
              attribute_name: User
              operator: equals
              attribute_value: User1
            profile: Default Shell Profile
            command_sets:
              - AllowShowCommands

Example-2 Device Administration Authorization Rule with OR Condition for Identity Groups

This example demonstrates how an authorization rule in Cisco ISE device administration uses an OR operator to evaluate multiple identity group conditions. The authorization is granted if the user belongs to either the “Employee” or “RegisteredDevices” identity groups. When the condition matches, the user receives the “Default Shell Profile” and is allowed to execute show commands. This setup enables the policy to authorize access flexibly by satisfying any one of the specified identity group conditions, rather than requiring all conditions to be met.

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        authorization_rules:
          - name: AuthorizationGroup
            state: enabled
            condition:
              type: ConditionOrBlock
              children:
                - type: ConditionAttributes
                  is_negate: false
                  dictionary_name: IdentityGroup
                  attribute_name: Name
                  operator: equals
                  attribute_value: Employee
                - type: ConditionAttributes
                  is_negate: false
                  dictionary_name: IdentityGroup
                  attribute_name: Name
                  operator: equals
                  attribute_value: RegisteredDevices
            profile: Default Shell Profile
            command_sets:
              - AllowShowCommands

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets » XXX » Authorization Policy

Diagram

Classes

policy_sets (ise.device_administration)

Name	Type	Constraint	Mandatory	Default Value
authorization_rules	List	`[authorization_rules]`	No

authorization_rules (ise.device_administration.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No

condition (ise.device_administration.policy_sets.authorization_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        authorization_rules:
          - name: User1
            default: false
            state: enabled
            condition:
              type: ConditionAttributes
              is_negate: false
              dictionary_name: TACACS
              attribute_name: User
              operator: equals
              attribute_value: User1
            profile: Default Shell Profile
            command_sets:
              - DenyAllCommands

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets » XXX » Authorization Policy

Diagram

Classes

policy_sets (ise.device_administration)

Name	Type	Constraint	Mandatory	Default Value
authorization_rules	List	`[authorization_rules]`	No

authorization_rules (ise.device_administration.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No

condition (ise.device_administration.policy_sets.authorization_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        authorization_rules:
          - name: User1
            default: false
            state: enabled
            condition:
              type: ConditionAttributes
              is_negate: false
              dictionary_name: TACACS
              attribute_name: User
              operator: equals
              attribute_value: User1
            profile: Default Shell Profile
            command_sets:
              - DenyAllCommands

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets » XXX » Authorization Policy

Diagram

Classes

policy_sets (ise.device_administration)

Name	Type	Constraint	Mandatory	Default Value
authorization_rules	List	`[authorization_rules]`	No

authorization_rules (ise.device_administration.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No

condition (ise.device_administration.policy_sets.authorization_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.device_administration.policy_sets.authorization_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        authorization_rules:
          - name: User1
            default: false
            state: enabled
            condition:
              type: ConditionAttributes
              is_negate: false
              dictionary_name: TACACS
              attribute_name: User
              operator: equals
              attribute_value: User1
            profile: Default Shell Profile
            command_sets:
              - DenyAllCommands

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d\_\-\. \(\)]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
profile	String		No
command_sets	List	String	No