When using Clearpass with TACACS there is an "aruba:common" dictionary attribute called "Aruba-Admin-Role"
Those roles are pre-configured on the Controllers [i.e. root, read-only, guest-provisioning, etc]
The specific value that would likely fit your scenario would be: "network-operations"
You would need to configure that TACACS VSA as a part of your Enforcement Profile that is triggered for those helpdesk users.
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
------------------------------
Original Message:
Sent: Feb 27, 2024 04:02 PM
From: cscottrun
Subject: Granular permissions to Mobility Conductor/Controllers
Hello,
With Mobility Conductor/Controllers running 8.10.0.9, and Clearpass 6.11.7 for TACACS, we are granting read-only permission for our PC technicians and helpdesk staff for troubleshooting WiFi connectivity on the controllers.
I would like to make it possible for those users to remove clients from the denylist/blacklist, without giving them full administrative rights. Is this possible to give granular access for specific commands?
If not - would there be a creative way to to this with an API on a standalone web page, or something along those lines?