Security

Scenario: 

Site A has Technician A - they should only be able to see and add devices at Site A

Site B has Technician B - they should only be able to see and add devices at Site B

Then network admin requires to view/edit devices at site A and B, but not C, and so on... 

My initial thoughts below - does anyone else have any suggestions: 

This would then be integrated with local AD or Entra SSO and each user will get an operator profile specific to the site they work at upon access to CPPM GUI. The operator profile will have specific roles which they can assign to devices when they register a MAC address in CPPM Guest. Each user at each site will need to view all of the devices with a specific role registered with the specific role name associated to that site, but not only the devices registered by that user, all devices registered by other users capable of adding devices at that specific site, which have been given a site specific role e.g. Site A - Printer. A network admin who then registers devices at site A and site B, can then see all devices registered at both sites, based on the roles they can assign.

Does this sound like the right approach? If not, what would be an alternative using operator profiles? 

In the Operator Login Profiles, you can specify the user roles that are permitted. You can set an operator filter. Additionally, you can configure permissions for various menu items in ClearPass Guest.

In the following example, the operator would see guest devices that were created by operators using their profile and that use one of the enabled values as their user role.

When using Device Edit or Device Create, they can also only use roles that have been activated in their profile.

This becomes a problem when a super administrator from headquarters creates a device for Site A. The sponsor profile is always stored in the guest device; in this case, the field would also show "Super Administrator." As a result, the device would be invisible to the administrator from Site A using their operator profile.
This can be resolved by enabling the `sponsor_name` field in the `mac_create` form. When creating the device, the super administrator has to enter the operator profile name for Site A in this field to make the device visible to Site A admins.

Similarly, the mac_edit form can be modified to enable the sponsor_name field there.

All you need to do is make sure that the operators are assigned to the correct profiles during login, for example by checking their AD group membership.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------