Location in GUI : Work Centers » Network Access » Policy Sets » XXX » Authorization Policy
Name Type Constraint Mandatory Default Value authorization_rules List [authorization_rules]No
Name Type Constraint Mandatory Default Value name String Regex: ^[\w\d_\-\. ]+$ Yes state Choice enabled, disabledNo enabledcondition Class [condition]No profiles List String No security_group String No
Name Type Constraint Mandatory Default Value type Choice ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes is_negate Boolean true, falseNo falsedictionary_name String No attribute_name String No operator Choice contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo attribute_value String No name String No children List [children]No
Name Type Constraint Mandatory Default Value type Choice ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes is_negate Boolean true, falseNo dictionary_name String No attribute_name String No operator Choice contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo attribute_value String No name String No children List [children]No
Name Type Constraint Mandatory Default Value type Choice ConditionReference, ConditionAttributesYes is_negate Boolean true, falseNo dictionary_name String No attribute_name String No operator Choice contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo attribute_value String No name String No
Example1: Office_Clients authorization rule
This example demonstrates how to configure an authorization rule under the policy_set Global Policy. The authorization rule name is Office_Clients. It uses the AD Join Point AD_Join to query the endpoint, and if the endpoint is part of the AD group ciscolab.local/Users/DC1, then the authorization profile Office_Clients_Profile and the security group Office_Clients_SGT are applied.
type : ConditionAttributes
attribute_name : ExternalGroups
attribute_value : ciscolab.local/Users/DC1
security_group : Office_Clients_SGT