12-15
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 12 Administering External User Databases
Database Group Mappings
Group Mapping Order
Cisco Secure ACS always maps users to a single Cisco Secure ACS group, yet a
user can belong to more than one group set mapping. For example, a user, John,
could be a member of the group combination Engineering and California, and at
the same time be a member of the group combination Engineering and Managers.
If there are Cisco Secure ACS group set mappings for both these combinations,
Cisco Secure ACS has to determine to which group John should be assigned.
Cisco Secure ACS prevents conflicting group set mappings by assigning a
mapping order to the group set mappings. When a user authenticated by an
external user database is to be assigned to a Cisco Secure ACS group,
Cisco Secure ACS starts at the top of the list of group mappings for that database.
Cisco Secure ACS checks the user group memberships in the external user
database against each group mapping in the list sequentially. Upon finding the
first group set mapping that matches the external user database group
memberships of the user, Cisco Secure ACS assigns the user to the
Cisco Secure ACS group of that group mapping and terminates the mapping
process.
Clearly, the order of group mappings is important because it affects the network
access and services allowed to users. When defining mappings for users who
belong to multiple groups, make sure they are in the correct order so that users are
granted the correct group settings.
For example, a user, Mary, is assigned to the three-group combination of
Engineering, Marketing, and Managers. Mary should be granted the privileges of
a manager rather than an engineer. Mapping A assigns users who belong to all
three groups Mary is in to Cisco Secure ACS Group 2. Mapping B assigns users
who belong to the Engineering and Marketing groups to Cisco Secure ACS
Group 1. If Mapping B is listed first, Cisco Secure ACS authenticates Mary as a
user of Group 1, and she is be assigned to Group 1, rather than Group 2 like
managers should be.
No Access Group for Group Set Mappings
To prevent remote access for users assigned a group by a particular group set
mapping, assign the group to the Cisco Secure ACS No Access group. For
example, you could assign all members of an external user database group
“Contractors” to the No Access group so they could not dial in to the network
remotely.