Security

Hi

Would it be possible to create a ClearPass administrator with only read access to access tracker and read/write/delete permissions on the Endpoint Repository?

First part with Access tracker is easy, but is it possible to create granular access under the Configuration section and only allow access to the Endpoint Repository and not anything else?

Regards

Jonas Erlund Hammarbäck

Go to Administration> Users and Privileges> Admin privileges and import the attached file.

Create an admin user and Apply the imported privileges to the user.

EDIT:  Somehow I cannot attach an XML file.  Let me try to get that fixed.  Okay, change the attached filename extention from .txt to .xml before importing.

Attachment(s)

AdminPrivilegesendpointdb.txt   639 B 1 version

Thank you!

Works greate.

Regards

Jonas

Hi,

thats cool. Do you have an overview about the

 <AdminTask taskid="[VAR]">

commands?

I just want to allow the service desk to create local users. Would it be like that?

      <AdminTask taskid="con.id.lu">
        <AdminTaskAction type="RWD"/>
      </AdminTask>

for CONfigure -> IDentity -> Local Users?

Thx in advance.

Regards,

Dennis

Hi dbo

The information you need is now available in ClearPass Policy Manager 6.1 User Guide under section Administration\Custom Admin Privileges beginning on page 236.

Regards

Jonas

Hi Jonas,

Thx for your fast reply and help.

I just searched the user guide version 6.0...

Regards,

Dennis

Hi,

I know this is an old topic but does anyone know why I get the error message in the attached screenshot when logging in using these custom admin privleges? Normal admin account is fine.

ClearPass 6.3.1

Cheers

Chris

Did you create the XML file from scratch or export one of the pre-built roles and then change attributes?

@cjoseph

Thanks for this post, it was a quick and easy way how to create a profile for just EndpointsDB access. This was tied into AD USers / Group, for ease of providing access without giving admin rights. This was used specifically for provisioning phones / RAP's that use MAC Auth. 

Ok, I know this is a very old thread, but it seemed to be the right place to ask the question. We want to create a custom profile for the helpdesk to see the live monitor for radius, but NOT for TACACS. I know that we can restrict the "Accounting" tab from them, but the TACACS requests still show up in the live view. Is there a way to restrict this?

Thanks!

cjoseph, we are having the issue where we have created a custom admin account, but the custom admin account (who we need to create non admin accounts) is able to create "super admin" accounts. We only want the custom admin account to be able to create one account type.  Tried adjusting the view and privs but can't seem to figure it out.  Any thoughts?

I want to restric a specific user to be the admin for a specific service only. Is this doable ?

I read this thread and I am looking to do this as well but looking for admin priviledges for only read/write of onboarded devices.  I want the role to be able to removed onboarded devices and users from ClearPass Onboard.

Do you think you could help me out with this as well?

Thank you in advance.

David

In the operator profile, give the following privs:
- Delete Certificate: Full
- Manage Devices: Full
- Revoke Certificate: Full
- View Certificate: Read-Only

Be sure there is no filter enabled.

Thanks Tim will try this out>>

David