Authorization Rule

Location in GUI: Work Centers » Network Access » Policy Sets » XXX » Authorization Policy

Diagram

Classes

policy_sets (ise.network_access)

Name	Type	Constraint	Mandatory	Default Value
authorization_rules	List	`[authorization_rules]`	No

authorization_rules (ise.network_access.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`	No	`enabled`
condition	Class	`[condition]`	No
profiles	List	String	No
security_group	String		No

condition (ise.network_access.policy_sets.authorization_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authorization_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authorization_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No

Examples

Example1: Office_Clients authorization rule

This example demonstrates how to configure an authorization rule under the policy_set Global Policy. The authorization rule name is Office_Clients. It uses the AD Join Point AD_Join to query the endpoint, and if the endpoint is part of the AD group ciscolab.local/Users/DC1, then the authorization profile Office_Clients_Profile and the security group Office_Clients_SGT are applied.

ise:
  network_access:
    policy_sets:
      - name: Global Policy
        authorization_rules:
          - name: Office_Clients
            state: enabled
            condition:
              type: ConditionAttributes
              dictionary_name: AD_Join
              attribute_name: ExternalGroups
              operator: equals
              attribute_value: ciscolab.local/Users/DC1
            profiles:
              - Office_Clients_Profile
            security_group: Office_Clients_SGT