Limiting privileges to Cisco ISE account

steven_luke
New Contributor

We're trying to restrict the privileges that a JSS account has that gives Cisco ISE access to seeing what a compliant computer looks like. To set this up, we're presented with this screen from the Cisco App
6626ff6ba01349a7a986431b78a21b80

When we grant it access to only Advanced Computer Searches which is used to determine if a device is compliant or not, the cisco app can't communicate with the JSS giving us an error:

Connection Failed 403: Forbidden | The user account setup on the NotifyMDM server does not have the proper roles associated to it. Validate that the account being used by ISE is assigned the REST API MDM roles

Once we granted full read access it appears to be working, but we definitely want to limit what privileges this account has. Has anyone had experience with this and can recommend what privileges Cisco ISE requires from the JSS?

Thanks!

1 REPLY 1

alexjdale
Valued Contributor III

All of our API accounts need access to read "Computers" as well as searches. The search is not useful if they can't access the data for the computers that the search returns.

This is not an ISE-specific response, but a general API answer.