Skip to content
Network as Code

Policy Set

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

policy_sets (ise.device_administration)

Section titled “policy_sets (ise.device_administration)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[\w\d_\-\. ]+$No
descriptionStringNo
stateChoiceenabled, disabled, monitorNoenabled
conditionClass[condition]No
is_proxyBooleantrue, falseNofalse
service_nameStringYes

condition (ise.device_administration.policy_sets)

Section titled “condition (ise.device_administration.policy_sets)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNofalse
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.device_administration.policy_sets.condition)

Section titled “children (ise.device_administration.policy_sets.condition)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.device_administration.policy_sets.condition.children)

Section titled “children (ise.device_administration.policy_sets.condition.children)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributesYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo
attribute_valueStringNo
nameStringNo

Examples

Section titled “Examples”

Example-1 Adding a new Policy Set

This example defines a global device administration policy set within Cisco ISE. It creates a policy named “Global Policy” that is enabled. The policy applies to all devices where the “Location” attribute in the “DEVICE” dictionary equals “All Locations,” effectively targeting all device locations. The policy uses the “Device Profile 1” profile to govern device administration access and authorization for matching devices.

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        description: Global policy
        state: enabled
        is_proxy: false
        condition:
          type: ConditionAttributes
          is_negate: false
          dictionary_name: DEVICE
          attribute_name: Location
          operator: equals
          attribute_value: All Locations
        service_name: Device Profile 1

Example-2 Adding Multiple Policy Sets

This example demonstrates how to configure multiple device administration policy sets within a single configuration. Each policy set has distinct criteria and applies different device administration services. The first policy set, “Global Policy,” targets all device locations and applies “Device Profile 1.” The second policy set, “User 1 Policy,” specifically controls access for a user named “User 1” based on the “UserName” attribute in the Network Access dictionary, applying “Device Profile 2.” This approach allows granular control over device administration policies by defining multiple sets with different conditions and services.

ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        description: Global policy
        state: enabled
        is_proxy: false
        condition:
          type: ConditionAttributes
          is_negate: false
          dictionary_name: DEVICE
          attribute_name: Location
          operator: equals
          attribute_value: All Locations
        service_name: Device Profile 1
      - name: User 1 Policy
        description: Policy Set to control User 1 access
        state: enabled
        is_proxy: false
        condition:
          type: ConditionAttributes
          is_negate: false
          dictionary_name: Network Access
          attribute_name: UserName
          operator: equals
          attribute_value: User 1
        service_name: Device Profile 2

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

policy_sets (ise.device_administration)

Section titled “policy_sets (ise.device_administration)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[\w\d_\-\. ]+$No
descriptionStringNo
stateChoiceenabled, disabled, monitorNoenabled
conditionClass[condition]No
is_proxyBooleantrue, falseNofalse
service_nameStringYes

condition (ise.device_administration.policy_sets)

Section titled “condition (ise.device_administration.policy_sets)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNofalse
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.device_administration.policy_sets.condition)

Section titled “children (ise.device_administration.policy_sets.condition)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.device_administration.policy_sets.condition.children)

Section titled “children (ise.device_administration.policy_sets.condition.children)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributesYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWithNo
attribute_valueStringNo
nameStringNo

Examples

Section titled “Examples”
ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        default: false
        description: Global policy
        state: enabled
        condition:
          type: ConditionAttributes
          is_negate: false
          dictionary_name: DEVICE
          attribute_name: Location
          operator: equals
          dictionary_value: null
          attribute_value: All Locations
        service_name: Default Device Admin

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

policy_sets (ise.device_administration)

Section titled “policy_sets (ise.device_administration)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[\w\d_\-\. ]+$No
descriptionStringNo
stateChoiceenabled, disabled, monitorNoenabled
conditionClass[condition]No
is_proxyBooleantrue, falseNofalse
service_nameStringYes

condition (ise.device_administration.policy_sets)

Section titled “condition (ise.device_administration.policy_sets)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNofalse
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.device_administration.policy_sets.condition)

Section titled “children (ise.device_administration.policy_sets.condition)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.device_administration.policy_sets.condition.children)

Section titled “children (ise.device_administration.policy_sets.condition.children)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributesYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWithNo
attribute_valueStringNo
nameStringNo

Examples

Section titled “Examples”
ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        default: false
        description: Global policy
        state: enabled
        condition:
          type: ConditionAttributes
          is_negate: false
          dictionary_name: DEVICE
          attribute_name: Location
          operator: equals
          dictionary_value: null
          attribute_value: All Locations
        service_name: Default Device Admin

Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

policy_sets (ise.device_administration)

Section titled “policy_sets (ise.device_administration)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[\w\d_\-\. ]+$No
descriptionStringNo
stateChoiceenabled, disabled, monitorNoenabled
conditionClass[condition]No
is_proxyBooleantrue, falseNofalse
service_nameStringYes

condition (ise.device_administration.policy_sets)

Section titled “condition (ise.device_administration.policy_sets)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNofalse
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.device_administration.policy_sets.condition)

Section titled “children (ise.device_administration.policy_sets.condition)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.device_administration.policy_sets.condition.children)

Section titled “children (ise.device_administration.policy_sets.condition.children)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributesYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWithNo
attribute_valueStringNo
nameStringNo

Examples

Section titled “Examples”
ise:
  device_administration:
    policy_sets:
      - name: Global Policy
        default: false
        description: Global policy
        state: enabled
        condition:
          type: ConditionAttributes
          is_negate: false
          dictionary_name: DEVICE
          attribute_name: Location
          operator: equals
          dictionary_value: null
          attribute_value: All Locations
        service_name: Default Device Admin