Policy & Authorization Views

Overview

Policy views expose ISE policy configuration including policy sets, authorization profiles, dACLs, and TrustSec security groups. Use for policy inventory, compliance verification, and troubleshooting.

POLICY_SETS

Policy set definitions - all configured policy sets.

Key Columns

Column Type Description

Column	Type	Description
`ID`	VARCHAR2	Policy set UUID
`NAME`	VARCHAR2	Policy set name
`DESCRIPTION`	VARCHAR2	Policy set description
`STATE`	VARCHAR2	Enabled/Disabled
`CONDITION`	VARCHAR2	Matching conditions
`ALLOWED_PROTOCOLS`	VARCHAR2	Allowed protocols service
`RANK`	NUMBER	Evaluation order
`IS_DEFAULT`	VARCHAR2	Is default policy set

ID

VARCHAR2

Policy set UUID

NAME

VARCHAR2

Policy set name

DESCRIPTION

VARCHAR2

Policy set description

STATE

VARCHAR2

Enabled/Disabled

CONDITION

VARCHAR2

Matching conditions

ALLOWED_PROTOCOLS

VARCHAR2

Allowed protocols service

RANK

NUMBER

Evaluation order

IS_DEFAULT

VARCHAR2

Is default policy set

Common Queries

List All Policy Sets

netapi ise dc query "
SELECT
    NAME,
    STATE,
    ALLOWED_PROTOCOLS,
    RANK,
    IS_DEFAULT
FROM POLICY_SETS
ORDER BY RANK
"

Enabled Policy Sets Only

netapi ise dc query "
SELECT
    NAME,
    CONDITION,
    ALLOWED_PROTOCOLS
FROM POLICY_SETS
WHERE STATE = 'enabled'
ORDER BY RANK
"

AUTHORIZATION_PROFILES

Authorization profiles - what gets assigned to endpoints.

Key Columns

Column Type Description

Column	Type	Description
`ID`	VARCHAR2	Profile UUID
`NAME`	VARCHAR2	Profile name
`DESCRIPTION`	VARCHAR2	Profile description
`ACCESS_TYPE`	VARCHAR2	Access type (ACCESS_ACCEPT, ACCESS_REJECT)
`VLAN_ID`	VARCHAR2	Assigned VLAN ID
`VLAN_NAME`	VARCHAR2	VLAN tag name
`ACL`	VARCHAR2	Downloadable ACL name
`DACL_NAME`	VARCHAR2	dACL name
`SECURITY_GROUP`	VARCHAR2	SGT name
`AIRESPACE_ACL`	VARCHAR2	WLC ACL name
`AUTO_SMART_PORT`	VARCHAR2	Auto smart port profile
`REAUTHENTICATION_CONNECTIVITY`	VARCHAR2	Reauth setting
`REAUTHENTICATION_TIMER`	NUMBER	Reauth timer in seconds
`VOICE_DOMAIN_PERMISSION`	VARCHAR2	Voice domain enabled
`WEB_REDIRECTION`	VARCHAR2	Web redirect settings

ID

VARCHAR2

Profile UUID

NAME

VARCHAR2

Profile name

DESCRIPTION

VARCHAR2

Profile description

ACCESS_TYPE

VARCHAR2

Access type (ACCESS_ACCEPT, ACCESS_REJECT)

VLAN_ID

VARCHAR2

Assigned VLAN ID

VLAN_NAME

VARCHAR2

VLAN tag name

ACL

VARCHAR2

Downloadable ACL name

DACL_NAME

VARCHAR2

dACL name

SECURITY_GROUP

VARCHAR2

SGT name

AIRESPACE_ACL

VARCHAR2

WLC ACL name

AUTO_SMART_PORT

VARCHAR2

Auto smart port profile

REAUTHENTICATION_CONNECTIVITY

VARCHAR2

Reauth setting

REAUTHENTICATION_TIMER

NUMBER

Reauth timer in seconds

VOICE_DOMAIN_PERMISSION

VARCHAR2

Voice domain enabled

WEB_REDIRECTION

VARCHAR2

Web redirect settings

Common Queries

All Authorization Profiles

netapi ise dc query "
SELECT
    NAME,
    ACCESS_TYPE,
    VLAN_ID,
    DACL_NAME,
    SECURITY_GROUP
FROM AUTHORIZATION_PROFILES
ORDER BY NAME
"

Profiles with VLANs

netapi ise dc query "
SELECT
    NAME,
    VLAN_ID,
    VLAN_NAME,
    DESCRIPTION
FROM AUTHORIZATION_PROFILES
WHERE VLAN_ID IS NOT NULL
ORDER BY VLAN_ID
"

Profiles with dACLs

netapi ise dc query "
SELECT
    NAME,
    DACL_NAME,
    ACCESS_TYPE,
    DESCRIPTION
FROM AUTHORIZATION_PROFILES
WHERE DACL_NAME IS NOT NULL
ORDER BY DACL_NAME, NAME
"

Profiles with SGT (TrustSec)

netapi ise dc query "
SELECT
    NAME,
    SECURITY_GROUP,
    VLAN_ID,
    DACL_NAME
FROM AUTHORIZATION_PROFILES
WHERE SECURITY_GROUP IS NOT NULL
ORDER BY SECURITY_GROUP, NAME
"

Profiles Summary by Type

netapi ise dc query "
SELECT
    ACCESS_TYPE,
    COUNT(*) AS profile_count,
    SUM(CASE WHEN VLAN_ID IS NOT NULL THEN 1 ELSE 0 END) AS with_vlan,
    SUM(CASE WHEN DACL_NAME IS NOT NULL THEN 1 ELSE 0 END) AS with_dacl,
    SUM(CASE WHEN SECURITY_GROUP IS NOT NULL THEN 1 ELSE 0 END) AS with_sgt
FROM AUTHORIZATION_PROFILES
GROUP BY ACCESS_TYPE
"

SECURITY_GROUPS

TrustSec Security Groups (SGTs) - security group tag definitions.

Key Columns

Column Type Description

Column	Type	Description
`ID`	VARCHAR2	Security group UUID
`NAME`	VARCHAR2	Security group name
`DESCRIPTION`	VARCHAR2	Description
`SGT_VALUE`	NUMBER	SGT tag value (0-65535)
`GENERATION_ID`	VARCHAR2	Generation identifier
`IS_READ_ONLY`	VARCHAR2	System-defined SGT

ID

VARCHAR2

Security group UUID

NAME

VARCHAR2

Security group name

DESCRIPTION

VARCHAR2

Description

SGT_VALUE

NUMBER

SGT tag value (0-65535)

GENERATION_ID

VARCHAR2

Generation identifier

IS_READ_ONLY

VARCHAR2

System-defined SGT

Common Queries

All Security Groups

netapi ise dc query "
SELECT
    NAME,
    SGT_VALUE,
    DESCRIPTION,
    IS_READ_ONLY
FROM SECURITY_GROUPS
ORDER BY SGT_VALUE
"

Custom SGTs (Not System-Defined)

netapi ise dc query "
SELECT
    NAME,
    SGT_VALUE,
    DESCRIPTION
FROM SECURITY_GROUPS
WHERE IS_READ_ONLY = 'false'
ORDER BY SGT_VALUE
"

SGT Value Ranges

netapi ise dc query "
SELECT
    CASE
        WHEN SGT_VALUE < 10 THEN 'System (0-9)'
        WHEN SGT_VALUE < 100 THEN 'Infrastructure (10-99)'
        WHEN SGT_VALUE < 1000 THEN 'Endpoints (100-999)'
        ELSE 'Extended (1000+)'
    END AS sgt_range,
    COUNT(*) AS count,
    MIN(SGT_VALUE) AS min_val,
    MAX(SGT_VALUE) AS max_val
FROM SECURITY_GROUPS
GROUP BY
    CASE
        WHEN SGT_VALUE < 10 THEN 'System (0-9)'
        WHEN SGT_VALUE < 100 THEN 'Infrastructure (10-99)'
        WHEN SGT_VALUE < 1000 THEN 'Endpoints (100-999)'
        ELSE 'Extended (1000+)'
    END
ORDER BY min_val
"

SECURITY_GROUP_ACLS

TrustSec SGACLs - security group ACL definitions (what traffic is allowed between SGTs).

Key Columns

Column Type Description

Column	Type	Description
`ID`	VARCHAR2	SGACL UUID
`NAME`	VARCHAR2	SGACL name
`DESCRIPTION`	VARCHAR2	Description
`IP_VERSION`	VARCHAR2	IPv4 or IPv6
`ACL_CONTENT`	CLOB	ACL rules content
`GENERATION_ID`	VARCHAR2	Generation identifier

ID

VARCHAR2

SGACL UUID

NAME

VARCHAR2

SGACL name

DESCRIPTION

VARCHAR2

Description

IP_VERSION

VARCHAR2

IPv4 or IPv6

ACL_CONTENT

CLOB

ACL rules content

GENERATION_ID

VARCHAR2

Generation identifier

Common Queries

All SGACLs

netapi ise dc query "
SELECT
    NAME,
    IP_VERSION,
    DESCRIPTION
FROM SECURITY_GROUP_ACLS
ORDER BY NAME
"

UPSPOLICYSET / UPSPOLICYSET_POLICIES

User and Device Policy - policy set associations.

netapi ise dc query "
SELECT * FROM UPSPOLICYSET FETCH FIRST 10 ROWS ONLY
"

netapi ise dc query "
SELECT * FROM UPSPOLICYSET_POLICIES FETCH FIRST 10 ROWS ONLY
"

Policy Correlation Queries

Auth Results by Policy Set

netapi ise dc query "
SELECT
    p.NAME AS policy_set,
    COUNT(*) AS auth_count,
    SUM(CASE WHEN r.PASSED = 'Pass' THEN 1 ELSE 0 END) AS passed,
    SUM(CASE WHEN r.PASSED = 'Fail' THEN 1 ELSE 0 END) AS failed,
    ROUND(SUM(CASE WHEN r.PASSED = 'Pass' THEN 1 ELSE 0 END) * 100.0 / COUNT(*), 1) AS success_pct
FROM RADIUS_AUTHENTICATIONS r
JOIN POLICY_SETS p ON r.POLICY_SET_NAME = p.NAME
WHERE r.TIMESTAMP_TIMEZONE > SYSDATE - 1
GROUP BY p.NAME
ORDER BY auth_count DESC
"

Auth Profile Usage

netapi ise dc query "
SELECT
    AUTHORIZATION_PROFILES AS profile,
    COUNT(*) AS usage_count,
    COUNT(DISTINCT CALLING_STATION_ID) AS unique_endpoints
FROM RADIUS_AUTHENTICATIONS
WHERE PASSED = 'Pass'
    AND TIMESTAMP_TIMEZONE > SYSDATE - 7
    AND AUTHORIZATION_PROFILES IS NOT NULL
GROUP BY AUTHORIZATION_PROFILES
ORDER BY usage_count DESC
FETCH FIRST 20 ROWS ONLY
"

SGT Distribution (from Auth Results)

netapi ise dc query "
SELECT
    p.SECURITY_GROUP AS sgt,
    COUNT(DISTINCT r.CALLING_STATION_ID) AS unique_endpoints,
    COUNT(*) AS auth_count
FROM RADIUS_AUTHENTICATIONS r
JOIN AUTHORIZATION_PROFILES p ON r.AUTHORIZATION_PROFILES = p.NAME
WHERE r.PASSED = 'Pass'
    AND r.TIMESTAMP_TIMEZONE > SYSDATE - 7
    AND p.SECURITY_GROUP IS NOT NULL
GROUP BY p.SECURITY_GROUP
ORDER BY unique_endpoints DESC
"

VLAN Assignment Distribution

netapi ise dc query "
SELECT
    p.VLAN_ID,
    p.VLAN_NAME,
    COUNT(DISTINCT r.CALLING_STATION_ID) AS unique_endpoints,
    COUNT(*) AS auth_count
FROM RADIUS_AUTHENTICATIONS r
JOIN AUTHORIZATION_PROFILES p ON r.AUTHORIZATION_PROFILES = p.NAME
WHERE r.PASSED = 'Pass'
    AND r.TIMESTAMP_TIMEZONE > SYSDATE - 7
    AND p.VLAN_ID IS NOT NULL
GROUP BY p.VLAN_ID, p.VLAN_NAME
ORDER BY unique_endpoints DESC
"

Policy Inventory

Complete Policy Overview

netapi ise dc query "
SELECT
    'Policy Sets' AS category,
    COUNT(*) AS count,
    SUM(CASE WHEN STATE = 'enabled' THEN 1 ELSE 0 END) AS active
FROM POLICY_SETS
UNION ALL
SELECT
    'Auth Profiles' AS category,
    COUNT(*) AS count,
    COUNT(*) AS active
FROM AUTHORIZATION_PROFILES
UNION ALL
SELECT
    'Security Groups' AS category,
    COUNT(*) AS count,
    SUM(CASE WHEN IS_READ_ONLY = 'false' THEN 1 ELSE 0 END) AS active
FROM SECURITY_GROUPS
UNION ALL
SELECT
    'SGACLs' AS category,
    COUNT(*) AS count,
    COUNT(*) AS active
FROM SECURITY_GROUP_ACLS
"

Policy & Authorization Views

Overview

POLICY_SETS

Key Columns

Common Queries

List All Policy Sets

Enabled Policy Sets Only

AUTHORIZATION_PROFILES

Key Columns

Common Queries

All Authorization Profiles

Profiles with VLANs

Profiles with dACLs

Profiles with SGT (TrustSec)

Profiles Summary by Type

SECURITY_GROUPS

Key Columns

Common Queries

All Security Groups

Custom SGTs (Not System-Defined)

SGT Value Ranges

SECURITY_GROUP_ACLS

Key Columns

Common Queries

All SGACLs

UPSPOLICYSET / UPSPOLICYSET_POLICIES

Policy Correlation Queries

Auth Results by Policy Set

Auth Profile Usage

SGT Distribution (from Auth Results)

VLAN Assignment Distribution

Policy Inventory

Complete Policy Overview

See Also