static group assignment

For more information:

Managing User Identity and Group Identity Types Using the User Interface

Use the Cisco ISE dashboard as your starting point for displaying and performing the operations that allow you to manage network access users, endpoints, user identity, and endpoint identity groups. You perform management operations by using the controls, tabs, and navigation pane options for the following tasks:

The following identifies the Cisco ISE user interface tab or menu option choices needed to perform tasks associated with users and endpoints:

The following identifies the ISE user interface tab or menu option choices needed to perform tasks that are associated with User Identity Groups and Endpoint Identity Groups:

Table 4-2 lists the configurable user and group identity values you can set using the controls and options available in the Identities tab.

When you create an identity, you can configure or assign account options using the Account Options panel. To configure or assign account options, check the Password Change check box, which prompts each user to change their password at the next login.

To complete the configuration using your choices for user or endpoint identity types, click Submit to create these identities in the ISE database.

Network Access Users

A network user is a Cisco ISE user that is authorized to access the ISE network resources based on identity. The network access user identity contains information about the user and forms the network access credentials for the user (and can consist of username, email address, password, account description, associated administrative group, user group, and role). To support Cisco ISE Sponsor groups, you need to explicitly create a sponsor user to be associated with a predefined sponsor groups. A sponsor user can be considered as another type of network access user and is created using the same process in the following procedure.

Configuring Network Access and Sponsor Users

The Network Access Users window lets you display, create, modify, delete, change the status, import or export users, duplicate, or search for attributes of Cisco ISE network access users. The following topics are covered in this section:

Displaying Existing Network Access Users

Use this procedure to display all existing locally configured network access users.

To display existing network access users, complete the following steps:

The Network Access Users window appears listing all existing locally defined network access users.

Creating a New Network Access or Sponsor User

Use this procedure to create and configure new locally configured network access users or the required sponsor user necessary for Cisco ISE Sponsor groups.

To create a new network access user or sponsor user, complete the following steps:

The Network Access Users window appears listing all locally configured network access users.

The Network Access User page appears.

Modifying an Existing Network Access User

Use this procedure to modify the configuration values for an existing locally configured network access user.

To modify an existing network access user, complete the following steps:

The corresponding Network Access User page appears.

Deleting an Existing Network Access User

Use this procedure to delete an existing locally configured network access user.

To delete an existing network access user, complete the following steps:

The Network Access User page appears with the modified status.

Changing the Status of an Existing Network Access User

Use this procedure to change the status of an existing locally configured network access user.

To change the status of an existing network access user, complete the following steps:

Importing or Exporting Existing Network Access Users

Use the following procedures to import or export locally configured network access users.

To import existing network access users, complete the following steps:

The Import Users from File page appears.

Use this procedure to import locally configured network access users.

To export existing network access users, complete the following steps:

The Export Network Access User window is displayed, where you are required to enter a key for encrypting the password in the Key field.

The Opening users.csv dialog box appears with two options to choose.

Click Other... to display additional choices.

Duplicating an Existing Network Access User

Use this procedure to duplicate an existing network access user.

To duplicate an existing network access user, complete the following steps:

The Network Access Users window appears with the duplicated status.

Searching for Specific Attributes in an Existing Network Access User

Use this procedure to search for an existing network access user based on specific attributes.

To search for an existing network access user using specific attributes, complete the following steps:

Network access user entries that match the specified attribute(s) are displayed in the Network Access Users page.

An endpoint is typically a network-capable device that connects to your network and uses the resources on your network through wired and wireless NADs and VPNs. Endpoints can be personal computers, laptops, IP phones, smart phones, gaming consoles, printers, and fax machines.

The MAC address of an endpoint, expressed in hexadecimal form, is always used to represent the endpoint on your network. An endpoint can be profiled statically when you create the endpoint by using its MAC address, and associating a profile to it along with an endpoint identity group in Cisco ISE.

When endpoints are discovered on your network, they can be profiled dynamically based on the configured endpoint profiling policies, and assigned to the matching endpoint identity groups depending on their profiles.

Policy Assignment

If you do not have a matching profiling policy, you can assign an unknown profiling policy. The endpoint is therefore profiled as Unknown. The endpoint that does not match any profile is grouped within the Unknown identity group. The endpoint profiled to the Unknown profile requires that you create a profile with an attribute or a set of attributes collected for that endpoint.

Identity Group Assignment

You can assign an endpoint to an identity group when you create an endpoint statically, or when you do not want to use the Create matching identity group option during evaluation of the endpoint profiling policy for an endpoint. If you do not choose the Static Group Assignment option, then the endpoint is automatically assigned to the matching identity group the next time during evaluation of the endpoint profiling policy.

Static Assignment

You can change the assignment of an endpoint from static to dynamic or from dynamic to static on the Endpoints page. The Endpoints page displays the static assignment status of endpoints as true when an endpoint is created statically, or false when the Static Assignment check box is unchecked during editing an endpoint on the Endpoints page.

Static Group Assignment

You can assign an endpoint to an identity group statically. In such cases, the Profiler service does not change the identity group the next time during the policy evaluation for these endpoints, which are previously assigned dynamically to endpoint identity groups in Cisco ISE.

The following section describes the procedure on how to manage endpoints in Cisco ISE:

Configuring Endpoints

Related Topics:

Endpoint Identity Groups

The Endpoints page allows you to display, configure, and manage endpoints on your network, which provides an option to filter endpoints. You can create an endpoint statically on the Endpoints page. The Endpoints page displays the list of all the endpoints and their associated profiles, MAC addresses, and the status of static assignment as true or false.

This section describes the basic operations that allow you to manage an endpoint, an identity that accesses your network. The following topics are covered in this section:

Filtering Endpoints

A quick filter is a simple and quick filter that can be used to filter endpoints on the Endpoints page. It filters endpoints based on the field descriptions such as the endpoint profile, MAC address, and the static status that is assigned to endpoints when they are created on the Endpoints page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Endpoints page. It filters endpoints based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all of the preset filters. You can choose a preset filter and view the results on the Endpoints page.

To filter endpoints on the Endpoints page, complete the following steps:

The Endpoints page appears, which lists all the endpoints that are discovered on your network.

The Quick Filter and Advanced Filter options appear. See Table 4-3 .

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section

The preset filter displays the filtered results on the Endpoints page. To return to the endpoints list, choose All from the Show drop-down to display all the endpoints without filtering.

To filter using the Quick Filter option, complete the following steps:

A quick filter filters endpoints based on each field description on the Endpoints page. When you click inside any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Endpoints page. If you clear the field, it displays the list of all the endpoints on the Endpoints page.

Endpoint entries that match the specified attribute(s) are displayed on the Endpoints page.

To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter endpoints by using variables that are more complex. It contains one or more filters that filter endpoints based on the values that match the field descriptions. A filter on a single row filters endpoints based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter endpoints by using any one or all of the filters within a single advanced filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save. Do not include spaces when creating the name for a preset filter. Click Cancel to clear the filter without saving the current filter.

Table 4-3 describes the fields that allow you to filter endpoints on the Endpoints page.

Creating an Endpoint

You can create a new endpoint statically by using the MAC address of an endpoint on the Endpoints page. You have an option to choose an endpoint profiling policy, and an identity group on the Endpoints page for static assignment. Cisco ISE does not reassign the profiling policy and the identity group for statically assigned endpoints.

To create an endpoint on the Endpoints page, complete the following steps:

The Endpoints page appears.

The New Endpoint page appears.

The endpoint that you create appears on the Endpoints page.

Alternatively, you can click the Endpoint List link from the New Endpoint page to return to the Endpoints page.

Table 4-4 describes the fields that allow you to create an endpoint on the Endpoints page.

Editing an Endpoint

You can only edit the policy that is assigned to endpoints and the identity group while editing endpoints.

To edit an endpoint on the Endpoints page, complete the following steps:

Here, you can edit the endpoint profiling policy and the identity group for the selected endpoint. The Attribute List displays the attributes captured for that selected endpoint when created.

The endpoint that you edit appears on the Endpoints page.

Alternatively, you can click the Endpoint List link to return to the Endpoints page.

Table 4-5 describes the fields that allow you to edit an endpoint on the Endpoints page.

Deleting an Endpoint

You can delete all the endpoints or only the endpoints that you choose from the list on the Endpoints page. The Delete menu has two options: Delete All, which allows you to delete all the endpoints from the list on the Endpoints page, or Delete Selected, which allows you to delete endpoints that you choose from the list on the Endpoints page.

To delete an endpoint from the Endpoints page, complete the following steps:

The Delete Selected and Delete All options appear.

A confirmation dialog appears.

Importing Endpoints

You can import endpoints from a comma-separated values (CSV) file in which the list of endpoints appears with the MAC address and the endpoint profiling policy details separated by a comma. The CSV file contains a header row that has two columns that list the MAC address of endpoints in one column, and endpoint profiling policies assigned to those endpoints in the next column.

If the CSV file contains endpoints that have their MAC addresses, and their assigned endpoint profiling policy is the Unknown profile, then those endpoints are immediately reprofiled in Cisco ISE to the matching endpoint profiling policies. However, they are not statically assigned to the Unknown profile. If endpoints do not have profiles assigned to them in the CSV file, then they are assigned to the Unknown profile and reprofiled to the matching endpoint profiling policies.

For example, Table 4-6 shows how Cisco ISE reprofiles Unknown profiles that match the Xerox_Device profile during import. It also shows how Cisco ISE reprofiles an endpoint that is unassigned.

If the CSV file contains endpoints that have their MAC addresses, and their assigned endpoint profiling policy is the static assignment, then they are not reprofiled during import. If endpoints are assigned to invalid profiles in the CSV file, then they are not imported because there are no matching profiles in Cisco ISE.

For example, Table 4-7 shows how Cisco ISE retains the Cisco-Device profile, the static assignment of an endpoint during import. It also shows that endpoints are not imported when they are assigned to invalid profiles in the CSV file.

Generating a Template

By default, you can use the Generate a Template link to create a CSV file in the Microsoft Office Excel application and save the file locally on your system. When you click the Generate a Template link, the Cisco ISE server displays the Opening template.csv dialog.

This dialog allows you to open the template.csv file, or save the template.csv file locally on your system. If you choose to open the template.csv file from the dialog, the file opens in the Microsoft Office Excel application. The file contains a header row that displays the MAC and Endpoint Policy columns.

Table 4-8 displays the header row in the template.csv file that is created by using the Generate a Template link:

To import endpoints from a CSV file on the Endpoints page, complete the following steps:

The file format has to be in the format as specified so that the list of endpoints appears as follows: MAC, Endpoint Policy.

You can also use the Generate a Template link to create a template and save the file. When you use this link, a default template .csv file is created with the following values: 00:22:5e:4d:fe:01, Unknown. You must update the MAC address of endpoints and their profiles and save the file with a different file name. You can use this saved file for importing endpoints. The Microsoft Office Excel application is the default application to open the .csv files.

Importing Endpoints from an LDAP Server

Prerequisite:

Before you import from an LDAP sever, ensure that you have installed the LDAP server.

To import endpoints from an LDAP server, complete the following tasks:

The Lightweight Directory Access Protocol (LDAP) is an application protocol that uses an LDAP directory to query and import data from the LDAP directory. LDAP is an external identity store in Cisco ISE. A directory is a set of objects with attributes that are organized in a logical and hierarchical manner. It is a tree of directory entries that contains a set of attributes. An attribute has a name, and one or more values that are defined in the schema and stored in an LDAP Data Interchange Format (LDIF) file that you use to import the attribute.

Cisco ISE allows you to import MAC addresses and the associated profiles of endpoints securely from an LDAP server. You can use an LDAP server to import endpoints and the associated profiles by using either port 389, or securely over SSL by using port 636.

You have to configure the connection settings and query settings to import from an LDAP server. If the connection settings or query settings are configured incorrectly in Cisco ISE, then the "LDAP import failed:" error message appears.

Root CA Certificate Name

The root certificate authority (CA) certificate name refers to the trusted CA certificate that is required to connect to an LDAP server. You can add (import), edit, delete, and export trusted CA certificates.

Configuring Importing of Endpoints from an LDAP server over SSL

You can import MAC addresses and the associated profiles of endpoints securely from an LDAP server.

To import endpoints from an LDAP server over SSL, complete the following steps:

Table 4-9 describes the fields that allow you to import endpoints from an LDAP server on the Endpoints page.

Exporting Endpoints

You can export selected or all the endpoints from the Cisco ISE server to different Cisco ISE servers.

To export endpoints on the Endpoints page to a CSV file, do the following:

The Export Selected and Export All options appear.

By default, the profiler_endpoints.csv is a Microsoft Office Excel CSV file. For example, the Opening profiler_endpoints.csv dialog box appears, which allows you to open or save the profiler_endpoints.csv file. The Microsoft Office Excel application is the default application to open the .csv files.

The exported list of endpoints appears in the profiler_endpoints.csv file, which opens in the Microsoft Office Excel application. The CSV file displays the header information in two separate columns such as the MAC address and Endpoint Policy. You can save this CSV file locally on your system, as well as use it for importing endpoints.

Understanding Admin Access Terminology

Table 4-10 defines and describes some basic admin access terminology that applies to role-based access policies, administrators, admin groups, permissions, and settings in Cisco ISE.

Administrative users are users of Cisco ISE that can be assigned to one or more admin-level groups. You can create an administrative user when you first configure Cisco ISE users or you can promote an existing user to this role. Administrative users can also be demoted to simple network user status by disabling the corresponding administrative privileges.

Managing Admin Access Types Using the User Interface

Use the Cisco ISE dashboard as your starting point for displaying and performing admin access management operations that allow you to manage policies, administrators, admin groups, permissions, and settings. You perform management operations by using the controls, tabs, and navigation pane options to perform the following tasks:

Table 4-12 lists the admin access types and configurable values you can set using the Admin Access tab.

Configuring Cisco ISE Administrators

Use the Admin Users window to display, create, modify, delete, change the status, duplicate, or search for attributes of Cisco ISE administrators. The following topics are covered in this section:

Displaying Existing Cisco ISE Administrators

Use this procedure to display the list of currently configured Cisco ISE administrators.

To display existing Cisco ISE administrators, complete the following steps:

The Administrators window appears listing all existing locally defined administrators.

Creating a New Cisco ISE Administrator

Use this procedure to create a new Cisco ISE administrator.

To create a new Cisco ISE administrator, complete the following steps:

If you choose Create New User, a blank Admin User page appears that you must configure.

If you choose Select from Network Access Users, a list of current users appears from which you can click to choose a user, and the corresponding Admin User page appears.

Modifying an Existing Cisco ISE Administrator

Use this procedure to modify an existing Cisco ISE administrator configuration.

To modify an existing Cisco ISE administrator, complete the following steps:

The Administrators window appears.

The corresponding Admin User page appears.

Deleting an Existing Cisco ISE Administrator

Use this procedure to delete an existing Cisco ISE administrator.

To delete an existing Cisco ISE administrator, complete the following steps:

Changing the Status of an Existing Cisco ISE Administrator

Use this procedure to change the status of an existing Cisco ISE administrator.

To change the status of an existing Cisco ISE administrator, complete the following steps:

The Administrators window appears with this modified status.

Duplicating an Existing Cisco ISE Administrator

Use this procedure to duplicate an existing Cisco ISE administrator.

To duplicate an existing Cisco ISE administrator, complete the following steps:

The Administrators window appears with the duplicated status.

Searching for Specific Attributes in an Existing Cisco ISE Administrator

Use this procedure to search for an existing Cisco ISE administrator based on specific attributes.

To search for an existing Cisco ISE administrator using specific attributes, complete the following steps:

Cisco ISE administrator entries that match the specified attribute(s) are displayed in the Cisco ISE Administrators page.

Configuring Admin Groups

The Admin Groups window lets you display, create, modify, delete, duplicate, or filter Cisco ISE network admin groups. The following topics are covered in this section:

Displaying Existing Admin Groups

Use this procedure to display existing admin groups.

To display existing admin groups, complete the following steps:

The Admin Groups window appears.

Creating an Admin Group

Use this procedure to create an admin group (and create or delete users within that admin group).

To create an admin group, complete the following steps:

Modifying an Existing Admin Group

Use this procedure to modify the configuration values for an existing locally configured admin group.

To modify an existing admin group, complete the following steps:

The corresponding Admin Group page appears.

Deleting an Existing Admin Group

Use this procedure to delete an existing admin group (and by doing so, delete the users within that admin group).

To delete an existing admin group, complete the following steps:

A Delete Confirmation dialog box appears.

Duplicating an Existing Admin Group

Use this procedure to duplicate an existing admin group.

To duplicate an existing admin group, complete the following steps:

The Admin Group window appears with the duplicated status.

Searching for Specific Attributes in an Existing Admin Group

Use this procedure to search for an existing admin group based on specific attributes.

To search for an existing admin group using specific attributes, complete the following steps:

To perform a Quick Filter , enter search criteria in one or more of the following attribute fields:

Configuring User Identity Groups

The Identity Groups window lets you display, create, modify, delete, duplicate, or filter Cisco ISE user identity groups. The following topics are covered in this section:

Displaying a User Identity Group

Use this procedure to display a Cisco ISE user identity group.

To display existing user identity groups, complete the following steps:

The User Identity Groups window appears.

Creating a User Identity Group

Use this procedure to create a user identity group (and create or delete users within this local user identity group.

To create a user identity group, complete the following steps:

The User Identity Groups page appears with two panels: Identity Group and Member Users.

A Users dialog box appears.

A Delete confirmation dialog box appears. Click OK to confirm your user deletion choice.

Modifying an Existing User Identity Group

Use this procedure to modify an existing user identity group (and by doing so, modify the users within this local user identity group).

To modify an existing user identity group, complete the following steps:

The User Identity Groups page appears.

Deleting an Existing User Identity Group

Use this procedure to delete an existing user identity group (and by doing so, delete the users within this local user identity group).

To delete an existing user identity group, complete the following steps:

A Delete Confirmation dialog box appears. Click OK to confirm your user identity group deletion choice.

Importing or Exporting an Existing User Identity Group

Use this procedure to import or export locally configured user identity groups.

To import or export existing user identity groups, complete the following steps:

The Import User Identity Groups from File page appears.

The "Opening users.csv" window is displayed, and is where you can click Save File and click OK to create a users.csv file with the network access users that you selected to export.

Searching for Specific Attributes in an Existing User Identity Group

Use this procedure to search for an existing user identity group based on specific attributes.

To search for an existing user identity group using specific attributes, complete the following steps:

Managing Admin Access (RBAC) Policies

In Cisco ISE, RBAC policies are simple access control policies that use RBAC concepts to manage admin access. These RBAC policies are formulated to grant permissions to a set of administrators that belong to one or more admin group(s) that restrict or enable access to perform various administrative functions using the user interface menus and admin group data elements.

RBAC policies determine if an admin user can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an admin user based on the admin group by using effective RBAC policies. When admin users log into the Cisco ISE user interface, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated.

For example, you can prevent a network administrator from viewing the Admin Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which the network administrator is associated.

Configuring RBAC Permissions

Cisco ISE provides an out of the box set of permissions that are associated with a set of predefined admin groups. Having pre-defined admin group permissions allow you to set permissions so that a member of any admin group can have full or limited access to the menu items within the administrative interface (known as menu access) and to delegate an admin group to use the data access elements of other admin groups (known as data access). These permissions are reusable entities that can be further used to formulate RBAC policies for various admin groups.

The following permissions are available in Cisco ISE:

Configuring Menu Access Permissions

In Cisco ISE, the menu access permissions allow you to show or hide the menu items of the Cisco ISE administrative interface to an admin group. This feature lets you create permissions for the admin group so that you can restrict or enable access to an administrator belonging to that group at the menu level. The following topics are covered in this section:

Viewing Predefined Menu Access Permission

Cisco ISE provides a set of system defined menu access permissions that are already used in the default RBAC policies.

To view the default menu access for an admin group, complete the following steps:

The Menu Access page appears listing all existing menu access permissions, both default and user-defined.

Table 4-13 lists the default menu access permissions.

Creating Custom Menu Access Permission

This section creates custom menu access permissions.

To add a menu access permission for an admin group, complete the following steps:

By default, all menu items are shown with Hide status.

Updating Menu Access Permission

You can edit only the custom menu access permissions and not the predefined menu access permissions.

To edit a menu access permission for an admin group, complete the following steps:

The Edit Menu Access Permission page appears.

Duplicating Menu Access Permission

Duplicating menu access permissions is a process that reuses the same set of menu items used by the original menu access.

To add a duplicate menu access permission for an admin group, complete the following steps:

A new menu access permission is added to the list with the word "_copy" affixed to the name of the selected permission. For example, if you want to create a duplicate of MnT Admin Menu Access , the duplicate will be created in the name of MnT Admin Menu Access_copy .

Deleting Menu Access Permission

You can delete only the custom menu access permissions and not the predefined menu access permissions.

To delete a menu access permission for an admin group, complete the following steps:

Configuring Data Access Permission

In Cisco ISE, the data access permissions enable multiple administrators to have the data access permissions within the same user population. You can enable or restrict the use of data access permissions to one or more admin groups. This process allows autonomous delegated control to administrators of one admin group to reuse data access permissions of the chosen admin groups through selective association. Data access permissions range from full access to no access for viewing selected admin groups or the network device groups.The following topics are covered in this section:

Viewing Predefined Data Access Permission

To create a data access permission, complete the following steps:

The Data Access page appears listing all existing data access permissions, both default and user-defined.

Table 4-14 lists the default menu access permissions.

Creating Custom Data Access Permission

This section describes how you create custom data access permissions.

The Create Data Access Permission page appears.

This creates the required data access permission.

Updating Data Access Permission

You can edit only the custom data access permissions and not the predefined data access permissions.

To update a data access permission, complete the following steps:

Duplicating Data Access Permission

Duplicating data access permissions is a process that reuses the same set of admin groups as the original data access is having.

To add a duplicate data access permission for an admin group, complete the following steps:

A new data access permission is added to the list with the word "_copy" affixed to the name of the selected permission. For example, if you want to create a duplicate of Policy Admin Data Access , the duplicate will be created in the name of Policy Admin Data Access_copy .

Deleting Data Access Permission

You can delete only the custom data access permissions and not the predefined data access permissions.

To delete a data access permission for an admin group, complete the following steps:

Configuring RBAC Policies

In Cisco ISE, an RBAC policy is represented in an if-then format, where if is the RBAC Admin Group value and then is the RBAC Permission value.

From the Cisco ISE Administration dashboard, choose Administration > System > Admin Access > Policy , which displays all default RBAC policies. These default policies cannot be modified or deleted. This page also provides the interfaces to create custom RBAC policies for an admin group.

The following topics provide procedures for performing these tasks:

Using Predefined RBAC Policies

Cisco ISE provides a set of system-defined RBAC policies to perform various Cisco ISE administrative functions. You can use these policies as is unless you plan for more granular access policies.

To create a custom RBAC policy, complete the following steps:

The RBAC Policies page appears. This page contains a set of ready-to-use predefined policies for default admin groups.

Table 4-15 lists the predefined policies, the associated admin groups, and the permissions.

Creating Custom RBAC Policy

Besides the default policies, you can create as many custom RBAC policies that you can then apply to personalized admin groups designed specifically for your work place.

Prerequisites:

A drop-down list is displayed with the policy-based choices.

Table 4-16 lists the RBAC policy object selector options.

A new policy entry appears in the position that you designated in the standard panel of the RBAC Policy window.

To add permissions:

RBAC policy creation is now complete.

Updating RBAC Policy

In Cisco ISE Administration dashboard, there is no specific button or control available to edit a policy. You can update only the custom RBAC policies and not the default RBAC policies. You can update all or any RBAC Policy fields by modifying the field values that you want to change.

To edit a custom RBAC policy, complete the following steps:

The RBAC Policies page appears.

Duplicating RBAC Policy

Use this procedure to add a duplicate RBAC policy.

To duplicate a policy, complete the following steps:

A duplicate policy row is added in the desired location with the word "_copy" affixed to the selected policy name.

Deleting RBAC Policy

You can delete only the custom RBAC policies and not the default RBAC policies.

To delete a policy, complete the following steps:

Configuring Settings for Accounts

This section describes how to configure general settings for different Cisco ISE accounts and covers the following topics:

Administrator Access Settings

Cisco ISE allows you to define some rules for administrator accounts to enhance security. You can restrict access to the management interfaces, force administrators to use strong passwords, regularly change their passwords, and so on. The password policy that you define under the Administrator Account Settings in Cisco ISE applies to all administrator accounts. This section describes how to define these rules for administrator accounts:

Refer to the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0 for a list of ports that must be open for specific services.

The username and password that you configure using Setup is intended only for administrative access to the Cisco ISE command-line interface (CLI), and this role is considered to be the CLI-admin user. By default, the username for the CLI-admin user is "admin" and the password is user-defined during Setup (there is no default password).

As the CLI-admin user, you can start and stop the Cisco ISE application, apply software patches and upgrades, reload or shut down the Cisco ISE appliance, and view all system and application logs. Because of the special privileges of the CLI-admin user, we recommend that you protect the CLI-admin user credentials and create web-based admin users for configuring and managing your Cisco ISE deployment.

Restricting Administrative Access to the Management Interfaces

Cisco ISE allows you to restrict administrative access to the management interfaces based on the IP address of the remote client. You can choose to do one of the following:

If you choose the Allow only listed IP addresses to connect option, you must add a list of IP addresses.

Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have any one of the following roles assigned: Super Admin or System Admin. See Table 4-11 for more information on the various administrative roles and the privileges associated with each of them.

To add a range of IP addresses to the IP List area, complete the following steps:

The Configure Access Restriction page appears.

The Add IP CIDR page appears.

Enter the subnet mask in the Netmask in CIDR format field.

Administrative access to Cisco ISE will now be restricted to the IP address ranges that are specified in this list after you click the Submit button.

Related Topics

Configuring a Password Policy for Administrator Accounts

You can create a password policy for administrator accounts to enhance security. The policy that you define here is applied to all administrator accounts in Cisco ISE.

To create the password policy for administrators, complete the following steps:

Configuring Session Timeout for Administrators

Cisco ISE allows you to determine the length of time an administration GUI session can be inactive and still remain connected. You can specify a time in minutes after which Cisco ISE logs out the administrator. After a session timeout, the administrator must log in again to access the Cisco ISE administrative user interface.

To configure session timeout, complete the following steps:

The Session Timeout page appears.

Configuring Network Access for User Accounts

Cisco ISE allows you to restrict network access for user accounts that are based on authentication settings that you configure for attributes and passwords associated with the user accounts. When defining user accounts, you can manage network access in the following ways:

There are two options for configuring network access for user accounts:

For information about configuring network access user accounts, see Configuring Network Access User Accounts .

User Custom Attributes Policy

When you choose User Custom Attributes Policy , the page displays two panes with the following options that you can use to define user account attributes:

The Cisco ISE provides the following predefined and nonconfigurable attributes that help define a user account:

The Cisco ISE also allows you to define custom attributes to help further define a user account by configuring the following:

User Password Policy

If you choose User Password Policy , the page displays the following two tabs where you can set options:

When you select the Password Policy tab, the Cisco ISE provides the following configurable options that you set by entering values in text boxes or selecting check boxes. Your choice of values creates a password policy for managing network access per user account:

When you select the Advanced tab, Cisco ISE provides the following configurable options that you set by entering values in text boxes or selecting check boxes. Your choice of values creates an "advanced" password policy setting for managing network access per user account.

Configuring Network Access User Accounts

The following topics describe how to configure or manage a network access user account:

Configuring a User Password Policy for the Network Access User Account

Use this procedure to configure a password policy for any network access user account.

To configure a user password policy for a network access user account, complete the following steps:

The Password Policy page appears.

For example, to create a password policy that requires a strong password, enter the following values or check the following check boxes:

For example, to define unique passwords, enter the following values or check the following check boxes:

Filtering the Predefined Attributes

Predefined attributes are system-configured and cannot be modified. However, you can filter the list of predefined attributes and search for specific attributes. Use this procedure to filter and search for specific attributes of interest.

To search for specific predefined attributes, complete the following steps:

The Pre-defined Attributes page appears with a list of all predefined attributes.

Configuring Custom Attributes for the Network Access User Account

The Pre-defined Attributes page allows you to configure custom attributes as part of the authentication settings for the network access user account. The network access user account already contains a set of predefined attributes. You can configure custom attributes using the following process.

To configure custom attributes for a network access user account, complete the following steps:

The Pre-defined Attributes page appears

An endpoint identity group is used to group all the identified endpoints on your network according to their profiles. Cisco ISE creates the following three identity groups in the system: Blacklist, Profiled, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group.

You can create an endpoint identity group and associate the group to one of the system-created identity groups. You can also assign an endpoint that you create directly (statically) to any one of the identity group that exists in the system, and the Profiler service cannot reassign the identity group.

In addition, you can map an endpoint profile where you match the endpoint profile with an existing profile and group it to a matching identity group. If you have an endpoint profile that matches an existing profile, then the Profiler service can create a matching identity group.

This identity group becomes the child of the Profiled identity group. When you create an endpoint profiling policy, you can check the Create matching identity group check box in the Endpoint Policies page to create a matching identity group. You cannot delete the matching identity group unless the mapping of the profile is removed.

When an endpoint is mapped to an existing profile, the profiler service searches the hierarchy of profiles for the closest parent profile that has a matching group of profiles and assigns the endpoint to the appropriate profile.

Parent Group

By default, a Cisco ISE deployment creates the following three endpoint identity groups: Blacklist, Profiled, and Unknown. A parent group is the default identity group that exists in the system. The Profiler service includes the following endpoint identity groups:

In addition, the Profiler service includes the following endpoint identity groups, which are associated to the Profiled identity group:

Using Endpoint Identity Groups in Authorization Policies

The profiler service discovers endpoints and classifies them now into their corresponding endpoint profiling policies based on the attributes that are collected and existing endpoint profiling policies in Cisco ISE. The Cisco ISE application moves these discovered endpoints to the corresponding endpoint identity groups based on the endpoint profiling policies.

The endpoint identity groups can be effectively used in the authorization policies to provide appropriate network access privileges to the discovered endpoints. To use the endpoint identity groups more effectively in the authorization policies, you need to ensure that the endpoint profiling policies are either standalone policies (no parent to the policies), or their parent policies of the endpoint profiling policies are disabled.

This section includes the following topics that describe the procedures for managing endpoint identity groups:

Filtering, Creating, Editing, and Deleting Endpoint Identity Groups

The Endpoint Identity Groups page allows you to manage endpoint identity groups, and provides an option to filter the groups by their group names and description.This section describes the basic operations that allow you to group all the identified endpoints on your network and manage the identity groups.

The procedures for managing endpoint identity groups include the following tasks:

Filtering Endpoint Identity Groups

A quick filter is a simple and quick filter that can be used to filter identity groups on the Endpoint Identity Groups page. It filters identity groups based on the field descriptions, such as the name of the identity group and the description on the Endpoint Identity Groups page.

An advanced filter is a complex filter that can also be preset for use and retrieved later, along with the filtering results, on the Endpoint Identity Groups page. It filters based on a specific value that is associated with the field description. You can add or remove filters, as well as combine a set of filters into a single filter within the advanced filter. Once created and saved, the Show drop-down lists includes all of the preset filters. You can choose a preset filter and view the results on the Endpoint Identity Groups page.

To filter identity groups on the Endpoint Identity Groups page, complete the following steps:

The Groups menu window appears.

The Endpoint Identity Groups page appears, which lists all the identity groups.

The Quick Filter and Advanced Filter options appear. See Table 4-17 .

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section .

The preset filter displays the filtered results on the Endpoint Identity Groups page. To return to the endpoint identity groups list, choose All from the Show drop-down to display all the endpoint identity groups without filtering.

A quick filter filters identity groups based on each field description on the Endpoint Identity Groups page. When you click inside any field, and as you enter the search criteria in the field, it refreshes the page with the result on the Endpoint Identity Groups page. If you clear the field, it displays the list of all the endpoint identity groups on the Endpoint Identity Groups page.

An advanced filter enables you to filter identity groups by using variables that are more complex. It contains one or more filters that filter identity groups based on the values that match the field descriptions. A filter on a single row filters identity groups based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter identity groups by using any one or all of the filters within a single advanced filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save . Do not include spaces when creating the name for a preset filter. Click Cancel to clear the filter without saving the current filter.

Table 4-17 describes the fields on the Endpoint Identity Groups page that allow you to filter the endpoint identity groups.

Creating, Editing, and Deleting an Endpoint Identity Group

You can create, edit, or delete an endpoint identity group on the Endpoint Identity Groups page.

To create an endpoint identity group on the Endpoint Identity Groups page, complete the following steps:

Table 4-18 describes the fields on the Endpoint Identity Groups page that allow you to create an endpoint identity group:

To edit an endpoint identity group on the Endpoint Identity Groups page, complete the following steps:

To delete an endpoint identity group on the Endpoint Identity Groups page, complete the following steps:

Click Cancel to return to the Endpoint Identity Groups page without deleting the endpoint identity group.

Filtering Endpoints in an Endpoint Identity Group

Adding and removing endpoints in an endpoint identity group, filtering, adding, and removing endpoints in an endpoint identity group.

This section describes the basic operations that allow you to manage endpoints in an endpoint identity group. The MAC address is used in all the basic operations.

You can add or remove statically added endpoints in any endpoint identity group. If an endpoint identity group assignment is not static, then endpoints are reprofiled after adding, or removing from any endpoint identity group. Endpoints that are identified dynamically by the profiler appear in appropriate endpoint identity groups. If you remove dynamically added endpoints from an endpoint identity group, Cisco ISE displays a message that you have successfully removed endpoints from the identity group but reprofiles them back in the endpoint identity group. You can only add endpoints from the Endpoints widget to a specific identity group. If you add an endpoint to the specific endpoint identity group, then the endpoint is moved from the endpoint identity group where it was dynamically grouped earlier. Upon removal from the endpoint identity group where you recently added an endpoint, the endpoint is reprofiled back to the appropriate identity group.

The Endpoint Identity Group page displays the name and description of all the endpoint identity groups. You can use the Edit menu on the Endpoint Identity Groups page to filter, add, or remove endpoints in the identity group.

The procedures for managing endpoints in the endpoint identity groups include the following tasks:

A quick filter is a simple and quick way to filter endpoints in any endpoint identity group on the Identity Group Endpoints page. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Identity Group Endpoints page. You can add or remove filters, as well as combine a set of filters into a single, advanced filter. Once created and saved, the Show drop-down lists all of the preset filters. You can choose a preset filter and view the results on the Identity Group Endpoints page. Both the filters use only the MAC address for filtering endpoints in any endpoint identity group.

To filter endpoints in an identity group on the Identity Group Endpoints page, complete the following steps:

The Endpoint Identity Groups page appears.

Click the arrow in front of Endpoints to display or hide the Identity Group Endpoints page.

The Quick Filter and Advanced Filter options appear. See Table 4-19 .

The preset filter displays the filtered results on the Identity Group Endpoints page.

A quick filter filters endpoints based on the MAC address in an endpoint identity group.

When you enter search criteria, it refreshes the page with the results on the Identity Group Endpoints page.

If you choose to clear the field by using the Clear button, this displays the list of all the endpoints on the Identity Group Endpoints page.

An advanced filter allows you to filter endpoints based on the MAC address. A filter on a single row filters endpoints based on the MAC address that you define. Multiple filters can be used to match the MAC addresses and filter endpoints by using any one or all of the filters within a single advanced filter.

The Save Preset Filter dialog appears.

Table 4-19 describes the fields on the Endpoints Identity Groups page that allow you to filter endpoints in an endpoint identity group:

You can add endpoints to an identity group from the Endpoints widget, or remove endpoints from the identity group. You cannot remove an endpoint from the identity group that has a matching profile with an existing profile .

To add endpoints to an endpoint identity group, complete the following steps:

The Endpoints widget appears.

The endpoint appears in the endpoint identity group.

To remove endpoints from the endpoint identity group, complete the following steps:

Get the Reddit app

Welcome to the CrowdStrike subreddit. CrowdStrike Falcon offers cloud-delivered solutions across endpoints, cloud workloads, identity and data; providing responders remote visibility across the enterprise and enabling instant access to the "who, what, when, where, and how" of a cyber attack.

Dynamic and Static Group Assignments

Hey guys. I was wondering what happens when a host is already in a static group, but would technically hit on some of the criteria for a newly created dynamic group. Does the static assignment win out? Or does it hop between both? What would take precedence?

By continuing, you agree to our User Agreement and acknowledge that you understand the Privacy Policy .

Enter the 6-digit code from your authenticator app

You’ve set up two-factor authentication for this account.

Enter a 6-digit backup code

Create your username and password.

Reddit is anonymous, so your username is what you’ll go by here. Choose wisely—because once you get a name, you can’t change it.

Reset your password

Enter your email address or username and we’ll send you a link to reset your password

Check your inbox

An email with a link to reset your password was sent to the email address associated with your account

Choose a Reddit account to continue

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Change static groups to dynamic membership groups in Microsoft Entra ID

• 10 contributors

You can change a group's membership from static to dynamic (or vice-versa) In Microsoft Entra ID, part of Microsoft Entra. Microsoft Entra ID keeps the same group name and ID in the system, so all existing references to the group are still valid. If you create a new group instead, you would need to update those references. Creating dynamic membership groups eliminates management overhead adding and removing users. This article tells you how to convert existing groups from static to dynamic membership groups using either the portal or PowerShell cmdlets. In Microsoft Entra, a single tenant can have a maximum of 15,000 dynamic membership groups.

When changing an existing static group to a dynamic group, all existing members are removed from the group, and then the membership rule is processed to add new members. If the group is used to control access to apps or resources, be aware that the original members might lose access until the membership rule is fully processed.

We recommend that you test the new membership rule beforehand to make sure that the new membership in the group is as expected. If you encounter errors during your test, see Resolve group license problems .

Change the membership type for a group

The following steps can be performed using an account that has at least the Groups Administrator role assigned.

• Sign in to the Microsoft Entra admin center as at least a Groups Administrator .
• Select Microsoft Entra ID.
• From the All groups list, open the group that you want to change.
• Select Properties .
• On the Properties page for the group, select a Membership type of either Assigned (static), Dynamic User, or Dynamic Device, depending on your desired membership type. For dynamic membership groups, you can use the rule builder to select options for a simple rule or write a membership rule yourself.

The following steps are an example of changing a group from static to dynamic membership groups for a group of users.

On the Properties page for your selected group, select a Membership type of Dynamic User , then select Yes on the dialog explaining the changes to the dynamic membership groups to continue.

Select Add dynamic query , and then provide the rule.

After creating the rule, select Add query at the bottom of the page.

Select Save on the Properties page for the group to save your changes. The Membership type of the group is immediately updated in the group list.

Group conversion might fail if the membership rule you entered was incorrect. A notification is displayed in the upper-right hand corner of the portal that it contains an explanation of why the rule can't be accepted by the system. Read it carefully to understand how you can adjust the rule to make it valid. For examples of rule syntax and a complete list of the supported properties, operators, and values for a membership rule, see Manage rules for dynamic membership groups in Microsoft Entra ID .

Change membership type for a group (PowerShell)

To change dynamic group properties you will need to use cmdlets from the Microsoft Graph PowerShell module. for more information, see Install the Microsoft Graph PowerShell SDK .

Here is an example of functions that switch membership management on an existing group. In this example, care is taken to correctly manipulate the GroupTypes property and preserve any values that are unrelated to dynamic membership groups.

To make a group static:

To make a group dynamic:

These articles provide additional information on groups in Microsoft Entra ID.

• See existing groups
• Create a new group and adding members
• Manage settings of a group
• Manage memberships of a group
• Manage rules for dynamic membership groups

Was this page helpful?

Additional resources

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

CISCO ISE Identity Management Group assignment

The scenario in brief.

Three types of devices can exist on our wireless networks:

• AD joined, corporate owned (Windows PC/Laptop/Surface)
• Non-AD Joined, corporate owned (iPad/Chromebook and their flavors)
• Non-Corporate Owned, non-AD Joined (BYOD)

The third device (BYOD) will always exist only on a Guest network managed by PRIME and never talk with ISE other than to be denied.

The first device (Windows AD) will be domain joined and have Group Policy applying wi-fi configurations based on Device and user.

The second device are easy enough to manage with MDM solutions and Google's own For Work admin center.

My Question

We are deploying over 2000 units of the second type (ipad and chromebook) and have a hiccup in our deployment routine to date. We have been running an MDM export of the MAC and import into ISE, but this feels clunky and very manual. Our current setup has an Identity Endpoint group Static assignment for these devices. The process is attaching the device to a less-secure, internet only Access Point then waiting for the network support to export/import MACs slows the process down - especially when the export misses a few units (because why not in the networking world, right?)

I'm getting mixed information from some documentation and user experiences around Onboarding, BYOD, Identity Group assignments and policies, etc. I'm fine with "it can't be done, move along" and we are looking at Certificates but the VAR who set ISE up was never scoped for Certificate. We have the staff in house to set it up, just not the time. Is anything we can do temporarily (to get through this summer) to expedite getting these devices authorized in ISE via a Static Group Assignment automatically (or automagically).

Some of the ideas I was curious about is whether we can enable a policy that says devices connecting to SSID "xyz" with AD User "adm" get group assignment "devType2".

Any thoughts you may have are greatly appreciated.

• ieee-802.11

• 1 The short answer is, Yes, you can assign group based on A/D group and SSID. –  Ron Trunk Commented May 26, 2016 at 13:53
• As @RonTrunk said, you can assign groups or, more general, authorization profiles, based on both AD group and SSID. Regarding your question about MAC addresses: We have a quite similar problem, and are currently trying to solve this using the ISE API. We have MAC addresses in another store (actually DHCP as reserved entries) and want to import them automatically to a endpoint group using the API. Maybe this could be a solution for your problem. –  Daniel Commented Jun 22, 2016 at 18:42

Know someone who can answer? Share a link to this question via email , Twitter , or Facebook .

Your answer, sign up or log in, post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Browse other questions tagged cisco ieee-802.11 mobile cisco-ise or ask your own question .

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• Background package relying on obsolete everypage package
• Can the planet Neptune be seen from Earth with binoculars?
• Nothing to do with books but everything to do with "BANGS"!
• What was the typical amount of disk storage for a mainframe installation in the 1980s?
• Do you believe something to be the truth or do you know the truth?
• What is this aircraft from the TV series "Fear the Walking Dead"?
• How to go from Asia to America by ferry
• Can population variance from multiple studies be averaged to use for a sample size calculation?
• How to clean a female disconnect connector
• How does registration work in a modern accordion?
• RC4 decryption with WEP
• Starting with 2014 "+" signs and 2015 "−" signs, you delete signs until one remains. What’s left?
• Direction of centripetal acceleration
• Romeo & Juliet laws and age of consent laws
• Is there a way to prove ownership of church land?
• How would you read this time change with the given note equivalence?
• What is the translation of this quote by Plato?
• Can the canonical Eudoxus-real representatives be defined easily?
• Can you move between an attack and the attack granted by Horde Breaker?
• What is this phenomenon?
• Textile Innovations of Pachyderms: Clothing Type
• Pólya trees counted efficiently
• Somebody used recommendation by an in-law without disclosure – should I report it?
• How high does the ocean tide rise every 90 minutes due to the gravitational pull of the space station?

Add Endpoint to Identity Group

Workflow #0029

Response Workflow

This workflow adds a static identity group assignment to a MAC address in Cisco Identity Services Engine (ISE). For example, if you’re using identity groups to determine which authorization profile to apply, you can use this response workflow to alter an endpoint’s permissions. Supported observable: mac_address

See the Important Notes page for more information about updating workflows

Requirements

• ISE - ERS - Endpoint - Create Endpoint
• ISE - ERS - Endpoint - Search
• ISE - ERS - Endpoint - Update Identity Group
• ISE - ERS - Endpoint Identity Group - Get by Name
• The targets and account keys listed at the bottom of the page
• Cisco Identity Services Engine (ISE)

Workflow Steps

• Make sure the observable type provided is supported
• Make sure the identity group exists and get its ID
• Search for the endpoint by MAC address
• If it does, update its group assignment
• If it doesn’t, create it and add it to the identity group

Configuration

• Set the Identity Group Name local variable to the name of the endpoint identity group to add endpoints to
• If you want to change the name of this workflow in the pivot menu, change its display name

Note: If your Cisco ISE deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use ISE with orchestration.

Target Group: Default TargetGroup

Account Keys

• Access Server Tutorials

Tutorial: Set a Static IP Address for a User Through a Group Subnet

Set up a unique subnet using a group IP address network and Access Server will then have a subnet it can use for static IP address assignment.

This tutorial shows how to set up static IP address assignments for Access Server users through a group assignment. Alternatively, you can use a global static IP address network to assign a static IP address to a user .

Refer to this tutorial to set up a group dynamic IP address assignment.

Default Client Address Assignment

Access Server works with Layer 3 routing mode by default. In this mode, VPN clients are assigned addresses from a private subnet, which is different from other subnets used in your networks.

Access Server automatically assigns dynamic IP addresses to clients when they connect. This is usually done in sequential order until it reaches the end of the subnet portion available to the OpenVPN daemon the client connects with, at which point it starts reusing older addresses.

This behavior is similar to DHCP, but Access Server doesn't technically run a DHCP server. It's more like a rough emulation of assigning addresses automatically.

To find the subnet for VPN clients:

Sign in to the Admin Web UI.

Click Configuration > VPN Settings .

The IP address and netmask bits are displayed under Dynamic IP Address Network .

If you're configuring static IP address assignments for Access Server in layer 2 mode, you must set the IP address on the client system's virtual network adapter. (We no longer recommend or offer support for using Access Server in layer 2 mode.)

In our documentation, we use example IPv4 addresses and subnets reserved for documentation , such as 192.0.2.0/24 , 198.51.100.0/24 , and 203.0.113.0/24 .

Ensure you replace them with valid IPv4 addresses and subnets for your network(s).

Prerequisites

An installed Access Server .

User accounts .

At least one group account .

Step 1: Assign a group subnet

Click User Management > Group Permission .

Click More Settings for the group to assign the subnet.

Additional group settings display.

Enter the subnet for the static IP address network in Subnets assigned to this group (optional) under VPN IP Addresses .

Click Save Settings and Update Running Server .

Each subnet's first and last IP address in Access Server is reserved. Suppose you specify the subnet 198.51.100.0/24 . You should ensure you don't assign 198.51.100.1 or 198.51.100.254 to VPN clients.

We don't support public IP address subnets here. Access Server operates in a private network because it's a virtual private network solution. It's possible to force public IP addresses into Access Server's configuration, but we don't support that solution.

If helpful, you can refer to our subnet mask cheat sheet .

Step 2: Assign a static IP address to the user

Click User Management > User Permissions .

Click More Settings for the user to assign the static IP address.

Additional user settings display.

Under IP Addressing click Use Static .

Enter the static IP address into the VPN Static IP Address field.

Ensure the IP address falls within the static IP address network you previously defined.

Access Server now assigns the static IP address to your user when they connect.

Step 3: Assign the user to the group

Finally, ensure the user is in the group you assigned the subnet:

Click the Group drop-down for the user.

Select the group from step 1.

Search results

No results found

ENOSUCHBLOG

Programming, philosophy, pedaling., understanding static single assignment forms, oct 23, 2020     tags: llvm , programming    .

This post is at least a year old.

With thanks to Niki Carroll , winny, and kurufu for their invaluable proofreading and advice.

By popular demand , I’m doing another LLVM post. This time, it’s single static assignment (or SSA) form, a common feature in the intermediate representations of optimizing compilers.

Like the last one , SSA is a topic in compiler and IR design that I mostly understand but could benefit from some self-guided education on. So here we are.

How to represent a program

At the highest level, a compiler’s job is singular: to turn some source language input into some machine language output . Internally, this breaks down into a sequence of clearly delineated 1 tasks:

• Lexing the source into a sequence of tokens
• Parsing the token stream into an abstract syntax tree , or AST 2
• Validating the AST (e.g., ensuring that all uses of identifiers are consistent with the source language’s scoping and definition rules) 3
• Translating the AST into machine code, with all of its complexities (instruction selection, register allocation, frame generation, &c)

In a single-pass compiler, (4) is monolithic: machine code is generated as the compiler walks the AST, with no revisiting of previously generated code. This is extremely fast (in terms of compiler performance) in exchange for some a few significant limitations:

Optimization potential: because machine code is generated in a single pass, it can’t be revisited for optimizations. Single-pass compilers tend to generate extremely slow and conservative machine code.

By way of example: the System V ABI (used by Linux and macOS) defines a special 128-byte region beyond the current stack pointer ( %rsp ) that can be used by leaf functions whose stack frames fit within it. This, in turn, saves a few stack management instructions in the function prologue and epilogue.

A single-pass compiler will struggle to take advantage of this ABI-supplied optimization: it needs to emit a stack slot for each automatic variable as they’re visited, and cannot revisit its function prologue for erasure if all variables fit within the red zone.

Language limitations: single-pass compilers struggle with common language design decisions, like allowing use of identifiers before their declaration or definition. For example, the following is valid C++:

C and C++ generally require pre-declaration and/or definition for identifiers, but member function bodies may reference the entire class scope. This will frustrate a single-pass compiler, which expects Rect::width and Rect::height to already exist in some symbol lookup table for call generation.

Consequently, (virtually) all modern compilers are multi-pass .

Multi-pass compilers break the translation phase down even more:

• The AST is lowered into an intermediate representation , or IR
• Analyses (or passes) are performed on the IR, refining it according to some optimization profile (code size, performance, &c)
• The IR is either translated to machine code or lowered to another IR, for further target specialization or optimization 4

So, we want an IR that’s easy to correctly transform and that’s amenable to optimization. Let’s talk about why IRs that have the static single assignment property fill that niche.

At its core, the SSA form of any program source program introduces only one new constraint: all variables are assigned (i.e., stored to) exactly once .

By way of example: the following (not actually very helpful) function is not in a valid SSA form with respect to the flags variable:

Why? Because flags is stored to twice: once for initialization, and (potentially) again inside the conditional body.

As programmers, we could rewrite helpful_open to only ever store once to each automatic variable:

But this is clumsy and repetitive: we essentially need to duplicate every chain of uses that follow any variable that is stored to more than once. That’s not great for readability, maintainability, or code size.

So, we do what we always do: make the compiler do the hard work for us. Fortunately there exists a transformation from every valid program into an equivalent SSA form, conditioned on two simple rules.

Rule #1: Whenever we see a store to an already-stored variable, we replace it with a brand new “version” of that variable.

Using rule #1 and the example above, we can rewrite flags using _N suffixes to indicate versions:

But wait a second: we’ve made a mistake!

• open(..., flags_1, ...) is incorrect: it unconditionally assigns O_CREAT , which wasn’t in the original function semantics.
• open(..., flags_0, ...) is also incorrect: it never assigns O_CREAT , and thus is wrong for the same reason.

So, what do we do? We use rule 2!

Rule #2: Whenever we need to choose a variable based on control flow, we use the Phi function (φ) to introduce a new variable based on our choice.

Using our example once more:

Our quandary is resolved: open always takes flags_2 , where flags_2 is a fresh SSA variable produced applying φ to flags_0 and flags_1 .

Observe, too, that φ is a symbolic function: compilers that use SSA forms internally do not emit real φ functions in generated code 5 . φ exists solely to reconcile rule #1 with the existence of control flow.

As such, it’s a little bit silly to talk about SSA forms with C examples (since C and other high-level languages are what we’re translating from in the first place). Let’s dive into how LLVM’s IR actually represents them.

SSA in LLVM

First of all, let’s see what happens when we run our very first helpful_open through clang with no optimizations:

(View it on Godbolt .)

So, we call open with %3 , which comes from…a load from an i32* named %flags ? Where’s the φ?

This is something that consistently slips me up when reading LLVM’s IR: only values , not memory, are in SSA form. Because we’ve compiled with optimizations disabled, %flags is just a stack slot that we can store into as many times as we please, and that’s exactly what LLVM has elected to do above.

As such, LLVM’s SSA-based optimizations aren’t all that useful when passed IR that makes direct use of stack slots. We want to maximize our use of SSA variables, whenever possible, to make future optimization passes as effective as possible.

This is where mem2reg comes in:

This file (optimization pass) promotes memory references to be register references. It promotes alloca instructions which only have loads and stores as uses. An alloca is transformed by using dominator frontiers to place phi nodes, then traversing the function in depth-first order to rewrite loads and stores as appropriate. This is just the standard SSA construction algorithm to construct “pruned” SSA form.

(Parenthetical mine.)

mem2reg gets run at -O1 and higher, so let’s do exactly that:

Foiled again! Our stack slots are gone thanks to mem2reg , but LLVM has actually optimized too far : it figured out that our flags value is wholly dependent on the return value of our access call and erased the conditional entirely.

Instead of a φ node, we got this select :

which the LLVM Language Reference describes concisely:

The ‘select’ instruction is used to choose one value based on a condition, without IR-level branching.

So we need a better example. Let’s do something that LLVM can’t trivially optimize into a select (or sequence of select s), like adding an else if with a function that we’ve only provided the declaration for:

That’s more like it! Here’s our magical φ:

LLVM’s phi is slightly more complicated than the φ(flags_0, flags_1) that I made up before, but not by much: it takes a list of pairs (two, in this case), with each pair containing a possible value and that value’s originating basic block (which, by construction, is always a predecessor block in the context of the φ node).

The Language Reference backs us up:

The type of the incoming values is specified with the first type field. After this, the ‘phi’ instruction takes a list of pairs as arguments, with one pair for each predecessor basic block of the current block. Only values of first class type may be used as the value arguments to the PHI node. Only labels may be used as the label arguments. There must be no non-phi instructions between the start of a basic block and the PHI instructions: i.e. PHI instructions must be first in a basic block.

Observe, too, that LLVM is still being clever: one of our φ choices is a computed select ( %spec.select ), so LLVM still managed to partially erase the original control flow.

So that’s cool. But there’s a piece of control flow that we’ve conspicuously ignored.

What about loops?

Not one, not two, but three φs! In order of appearance:

Because we supply the loop bounds via count , LLVM has no way to ensure that we actually enter the loop body. Consequently, our very first φ selects between the initial %base and %add . LLVM’s phi syntax helpfully tells us that %base comes from the entry block and %add from the loop, just as we expect. I have no idea why LLVM selected such a hideous name for the resulting value ( %base.addr.0.lcssa ).

Our index variable is initialized once and then updated with each for iteration, so it also needs a φ. Our selections here are %inc (which each body computes from %i.07 ) and the 0 literal (i.e., our initialization value).

Finally, the heart of our loop body: we need to get base , where base is either the initial base value ( %base ) or the value computed as part of the prior loop ( %add ). One last φ gets us there.

The rest of the IR is bookkeeping: we need separate SSA variables to compute the addition ( %add ), increment ( %inc ), and exit check ( %exitcond.not ) with each loop iteration.

So now we know what an SSA form is , and how LLVM represents them 6 . Why should we care?

As I briefly alluded to early in the post, it comes down to optimization potential: the SSA forms of programs are particularly suited to a number of effective optimizations.

Let’s go through a select few of them.

Dead code elimination

One of the simplest things that an optimizing compiler can do is remove code that cannot possibly be executed . This makes the resulting binary smaller (and usually faster, since more of it can fit in the instruction cache).

“Dead” code falls into several categories 7 , but a common one is assignments that cannot affect program behavior, like redundant initialization:

Without an SSA form, an optimizing compiler would need to check whether any use of x reaches its original definition ( x = 100 ). Tedious. In SSA form, the impossibility of that is obvious:

And sure enough, LLVM eliminates the initial assignment of 100 entirely:

Constant propagation

Compilers can also optimize a program by substituting uses of a constant variable for the constant value itself. Let’s take a look at another blob of C:

As humans, we can see that y and z are trivially assigned and never modified 8 . For the compiler, however, this is a variant of the reaching definition problem from above: before it can replace y and z with 7 and 10 respectively, it needs to make sure that y and z are never assigned a different value.

Let’s do our SSA reduction:

This is virtually identical to our original form, but with one critical difference: the compiler can now see that every load of y and z is the original assignment. In other words, they’re all safe to replace!

So we’ve gotten rid of a few potential register operations, which is nice. But here’s the really critical part: we’ve set ourselves up for several other optimizations :

Now that we’ve propagated some of our constants, we can do some trivial constant folding : 7 + 10 becomes 17 , and so forth.

In SSA form, it’s trivial to observe that only x and a_{1..4} can affect the program’s behavior. So we can apply our dead code elimination from above and delete y and z entirely!

This is the real magic of an optimizing compiler: each individual optimization is simple and largely independent, but together they produce a virtuous cycle that can be repeated until gains diminish.

Register allocation

Register allocation (alternatively: register scheduling) is less of an optimization itself , and more of an unavoidable problem in compiler engineering: it’s fun to pretend to have access to an infinite number of addressable variables, but the compiler eventually insists that we boil our operations down to a small, fixed set of CPU registers .

The constraints and complexities of register allocation vary by architecture: x86 (prior to AMD64) is notoriously starved for registers 9 (only 8 full general purpose registers, of which 6 might be usable within a function’s scope 10 ), while RISC architectures typically employ larger numbers of registers to compensate for the lack of register-memory operations.

Just as above, reductions to SSA form have both indirect and direct advantages for the register allocator:

Indirectly: Eliminations of redundant loads and stores reduces the overall pressure on the register allocator, allowing it to avoid expensive spills (i.e., having to temporarily transfer a live register to main memory to accommodate another instruction).

Directly: Compilers have historically lowered φs into copies before register allocation, meaning that register allocators traditionally haven’t benefited from the SSA form itself 11 . There is, however, (semi-)recent research on direct application of SSA forms to both linear and coloring allocators 12 13 .

A concrete example: modern JavaScript engines use JITs to accelerate program evaluation. These JITs frequently use linear register allocators for their acceptable tradeoff between register selection speed (linear, as the name suggests) and acceptable register scheduling. Converting out of SSA form is a timely operation of its own, so linear allocation on the SSA representation itself is appealing in JITs and other contexts where compile time is part of execution time.

There are many things about SSA that I didn’t cover in this post: dominance frontiers , tradeoffs between “pruned” and less optimal SSA forms, and feedback mechanisms between the SSA form of a program and the compiler’s decision to cease optimizing, among others. Each of these could be its own blog post, and maybe will be in the future!

In the sense that each task is conceptually isolated and has well-defined inputs and outputs. Individual compilers have some flexibility with respect to whether they combine or further split the tasks.  ↩

The distinction between an AST and an intermediate representation is hazy: Rust converts their AST to HIR early in the compilation process, and languages can be designed to have ASTs that are amendable to analyses that would otherwise be best on an IR.  ↩

This can be broken up into lexical validation (e.g. use of an undeclared identifier) and semantic validation (e.g. incorrect initialization of a type).  ↩

This is what LLVM does: LLVM IR is lowered to MIR (not to be confused with Rust’s MIR ), which is subsequently lowered to machine code.  ↩

Not because they can’t: the SSA form of a program can be executed by evaluating φ with concrete control flow.  ↩

We haven’t talked at all about minimal or pruned SSAs, and I don’t plan on doing so in this post. The TL;DR of them: naïve SSA form generation can lead to lots of unnecessary φ nodes, impeding analyses. LLVM (and GCC, and anything else that uses SSAs probably) will attempt to translate any initial SSA form into one with a minimally viable number of φs. For LLVM, this tied directly to the rest of mem2reg .  ↩

Including removing code that has undefined behavior in it, since “doesn’t run at all” is a valid consequence of invoking UB.  ↩

And are also function scoped, meaning that another translation unit can’t address them.  ↩

x86 makes up for this by not being a load-store architecture : many instructions can pay the price of a memory round-trip in exchange for saving a register.  ↩

Assuming that %esp and %ebp are being used by the compiler to manage the function’s frame.  ↩

LLVM, for example, lowers all φs as one of its very first preparations for register allocation. See this 2009 LLVM Developers’ Meeting talk .  ↩

Wimmer 2010a: “Linear Scan Register Allocation on SSA Form” ( PDF )  ↩

Hack 2005: “Towards Register Allocation for Programs in SSA-form” ( PDF )  ↩

• Jamf Nation Community
• Removing computer assignment from Static group usi...
• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

Removing computer assignment from Static group using API

• Mark as New
• Report Inappropriate Content

Posted on ‎05-26-2022 02:58 PM

Solved! Go to Solution.

Posted on ‎05-29-2022 11:53 PM

View solution in original post

‎05-31-2022 02:09 PM - edited ‎05-31-2022 02:11 PM

• All forum topics
• Previous Topic

‎05-26-2022 03:43 PM - edited ‎05-26-2022 05:51 PM

Posted on ‎05-26-2022 07:41 PM

‎05-26-2022 08:11 PM - edited ‎05-26-2022 08:11 PM

never-displayed

Lesson 6: Static Single Assignment

• discussion thread
• static single assignment
• SSA slides from Todd Mowry at CMU another presentation of the pseudocode for various algorithms herein
• Revisiting Out-of-SSA Translation for Correctness, Code Quality, and Efficiency by Boissinot on more sophisticated was to translate out of SSA form
• tasks due March 8

You have undoubtedly noticed by now that many of the annoying problems in implementing analyses & optimizations stem from variable name conflicts. Wouldn’t it be nice if every assignment in a program used a unique variable name? Of course, people don’t write programs that way, so we’re out of luck. Right?

Wrong! Many compilers convert programs into static single assignment (SSA) form, which does exactly what it says: it ensures that, globally, every variable has exactly one static assignment location. (Of course, that statement might be executed multiple times, which is why it’s not dynamic single assignment.) In Bril terms, we convert a program like this:

Into a program like this, by renaming all the variables:

Of course, things will get a little more complicated when there is control flow. And because real machines are not SSA, using separate variables (i.e., memory locations and registers) for everything is bound to be inefficient. The idea in SSA is to convert general programs into SSA form, do all our optimization there, and then convert back to a standard mutating form before we generate backend code.

Just renaming assignments willy-nilly will quickly run into problems. Consider this program:

If we start renaming all the occurrences of a , everything goes fine until we try to write that last print a . Which “version” of a should it use?

To match the expressiveness of unrestricted programs, SSA adds a new kind of instruction: a ϕ-node . ϕ-nodes are flow-sensitive copy instructions: they get a value from one of several variables, depending on which incoming CFG edge was most recently taken to get to them.

In Bril, a ϕ-node appears as a phi instruction:

The phi instruction chooses between any number of variables, and it picks between them based on labels. If the program most recently executed a basic block with the given label, then the phi instruction takes its value from the corresponding variable.

You can write the above program in SSA like this:

It can also be useful to see how ϕ-nodes crop up in loops.

(An aside: some recent SSA-form IRs, such as MLIR and Swift’s IR , use an alternative to ϕ-nodes called basic block arguments . Instead of making ϕ-nodes look like weird instructions, these IRs bake the need for ϕ-like conditional copies into the structure of the CFG. Basic blocks have named parameters, and whenever you jump to a block, you must provide arguments for those parameters. With ϕ-nodes, a basic block enumerates all the possible sources for a given variable, one for each in-edge in the CFG; with basic block arguments, the sources are distributed to the “other end” of the CFG edge. Basic block arguments are a nice alternative for “SSA-native” IRs because they avoid messy problems that arise when needing to treat ϕ-nodes differently from every other kind of instruction.)

Bril in SSA

Bril has an SSA extension . It adds support for a phi instruction. Beyond that, SSA form is just a restriction on the normal expressiveness of Bril—if you solemnly promise never to assign statically to the same variable twice, you are writing “SSA Bril.”

The reference interpreter has built-in support for phi , so you can execute your SSA-form Bril programs without fuss.

The SSA Philosophy

In addition to a language form, SSA is also a philosophy! It can fundamentally change the way you think about programs. In the SSA philosophy:

• definitions == variables
• instructions == values
• arguments == data flow graph edges

In LLVM, for example, instructions do not refer to argument variables by name—an argument is a pointer to defining instruction.

Converting to SSA

To convert to SSA, we want to insert ϕ-nodes whenever there are distinct paths containing distinct definitions of a variable. We don’t need ϕ-nodes in places that are dominated by a definition of the variable. So what’s a way to know when control reachable from a definition is not dominated by that definition? The dominance frontier!

We do it in two steps. First, insert ϕ-nodes:

Then, rename variables:

Converting from SSA

Eventually, we need to convert out of SSA form to generate efficient code for real machines that don’t have phi -nodes and do have finite space for variable storage.

The basic algorithm is pretty straightforward. If you have a ϕ-node:

Then there must be assignments to x and y (recursively) preceding this statement in the CFG. The paths from x to the phi -containing block and from y to the same block must “converge” at that block. So insert code into the phi -containing block’s immediate predecessors along each of those two paths: one that does v = id x and one that does v = id y . Then you can delete the phi instruction.

This basic approach can introduce some redundant copying. (Take a look at the code it generates after you implement it!) Non-SSA copy propagation optimization can work well as a post-processing step. For a more extensive take on how to translate out of SSA efficiently, see “Revisiting Out-of-SSA Translation for Correctness, Code Quality, and Efficiency” by Boissinot et al.

• One thing to watch out for: a tricky part of the translation from the pseudocode to the real world is dealing with variables that are undefined along some paths.
• Previous 6120 adventurers have found that it can be surprisingly difficult to get this right. Leave yourself plenty of time, and test thoroughly.
• You will want to make sure the output of your “to SSA” pass is actually in SSA form. There’s a really simple is_ssa.py script that can check that for you.
• You’ll also want to make sure that programs do the same thing when converted to SSA form and back again. Fortunately, brili supports the phi instruction, so you can interpret your SSA-form programs if you want to check the midpoint of that round trip.
• For bonus “points,” implement global value numbering for SSA-form Bril code.

• Engineering Mathematics
• Discrete Mathematics
• Operating System
• Computer Networks
• Digital Logic and Design
• C Programming
• Data Structures
• Theory of Computation
• Compiler Design
• Computer Org and Architecture

Static Single Assignment (with relevant examples)

Static Single Assignment was presented in 1988 by Barry K. Rosen, Mark N, Wegman, and F. Kenneth Zadeck. 

In compiler design, Static Single Assignment ( shortened SSA) is a means of structuring the IR (intermediate representation) such that every variable is allotted a value only once and every variable is defined before it’s use. The prime use of SSA is it simplifies and improves the results of compiler optimisation algorithms, simultaneously by simplifying the variable properties. Some Algorithms improved by application of SSA – 

• Constant Propagation –   Translation of calculations from runtime to compile time. E.g. – the instruction v = 2*7+13 is treated like v = 27
• Value Range Propagation –   Finding the possible range of values a calculation could result in.
• Dead Code Elimination – Removing the code which is not accessible and will have no effect on results whatsoever.
• Strength Reduction – Replacing computationally expensive calculations by inexpensive ones.
• Register Allocation – Optimising the use of registers for calculations.

Any code can be converted to SSA form by simply replacing the target variable of each code segment with a new variable and substituting each use of a variable with the new edition of the variable reaching that point. Versions are created by splitting the original variables existing in IR and are represented by original name with a subscript such that every variable gets its own version.

Example #1:

Convert the following code segment to SSA form:

Here x,y,z,s,p,q are original variables and x 2 , s 2 , s 3 , s 4 are versions of x and s. 

Example #2:

Here a,b,c,d,e,q,s are original variables and a 2 , q 2 , q 3 are versions of a and q. 

Phi function and SSA codes

The three address codes may also contain goto statements, and thus a variable may assume value from two different paths.

Consider the following example:-

Example #3:

When we try to convert the above three address code to SSA form, the output looks like:-

Attempt #3:

We need to be able to decide what value shall y take, out of x 1 and x 2 . We thus introduce the notion of phi functions, which resolves the correct value of the variable from two different computation paths due to branching.

Hence, the correct SSA codes for the example will be:-

Solution #3:

Thus, whenever a three address code has a branch and control may flow along two different paths, we need to use phi functions for appropriate addresses.

Please Login to comment...

Similar reads.

• Best Twitch Extensions for 2024: Top Tools for Viewers and Streamers
• Discord Emojis List 2024: Copy and Paste
• Best Adblockers for Twitch TV: Enjoy Ad-Free Streaming in 2024
• PS4 vs. PS5: Which PlayStation Should You Buy in 2024?
• Full Stack Developer Roadmap [2024 Updated]

Improve your Coding Skills with Practice

What kind of Experience do you want to share?

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

How does a static variable differentiate between initialization and assignments

I know static variables maintain their values for the entire runtime of the program even between function calls. Given the code below, what would be the value of x printed considering that x is declared as static and was initialized to zero. How does the using_static function not assign zero to the variable x during each call to the function?

• initialization
• static-variables
• function-definition
• storage-duration

• Did you try compiling that with warnings turned on? You're telling printf() to print a function pointer like it was an int ; that's not going to work very well. –  Shawn Commented Sep 25, 2021 at 8:16
• (If your code ever got that far; it has an infinite loop first). –  Shawn Commented Sep 25, 2021 at 8:17
• @Shawn -- so what you are saying, if you are a variable named i the story never changes? :) –  David C. Rankin Commented Sep 25, 2021 at 8:36
• 1 And now you can run that piece of code and observe the output. And answer your own question. –  Mat Commented Sep 25, 2021 at 8:43
• 1 Why are you using a while loop? That is a perfect example where it should be a for loop. Also, the return statements don't need braces. Don't add unnecessary braces, they impair understanding the language. Don't teach yourself bad coding habits. –  Cheatah Commented Sep 25, 2021 at 21:56

3 Answers 3

Your code sets the static variable x that has a default value of 0 to 0 every time the function is called an increments it so it's value won't go above 1. static variables are always initialized with a value (Implicitly with 0 in your case). The correct code would be

The statement where the variable was declared as static is the only one which doesn't reassign the variable each time the function containing it is executed.

Got it. Static variables are auto initialized to zero. If need be, they can only be initialized during declaration.

so while the above code would give an output of 1, changing using_static() to

would give an output of 6.

Thanks to all who answered.

How does the using_static function not assign zero to the variable x during each call to the function?

You are mistaken. Each time when the function is called the variable x is explicitly assigned with the value 0 due to the assignment statement

So the returned value of the function is always equal to 1.

It seems you mean initialization of the variable instead of its assignment.

If you will remove the statement

then the function will output sequentially

Initially the variable x is zero initialized. The initialization occurs before the program startup and occurs only once.

From the C Standard (5.1.2 Execution environments)

All objects with static storage duration shall be initialized (set to their initial values) before program startup.

and (6.7.9 Initialization)

10 If an object that has automatic storage duration is not initialized explicitly, its value is indeterminate. If an object that has static or thread storage duration is not initialized explicitly, then: — if it has arithmetic type, it is initialized to (positive or unsigned) zero; ....

You can imagine the function like

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged c initialization static-variables function-definition storage-duration or ask your own question .

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites
• What does a new user need in a homepage experience on Stack Overflow?
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation

Hot Network Questions

• What's the purpose of scanning the area before opening the portal?
• Generating function for A261041
• RC4 decryption with WEP
• Where is this railroad track as seen in Rocky II during the training montage?
• Could a lawyer agree not to take any further cases against a company?
• Humans are forbidden from using complex computers. But what defines a complex computer?
• Starting with 2014 "+" signs and 2015 "−" signs, you delete signs until one remains. What’s left?
• How is causality in Laplace transform related to Fourier transform?
• Background package relying on obsolete everypage package
• Is my magic enough to keep a person without skin alive for a month?
• How to fold or expand the wingtips on Boeing 777?
• The head of a screw is missing on one side of the spigot outdoor
• How long should a wooden construct burn (and continue to take damage) until it burns out (and stops doing damage)
• Somebody used recommendation by an in-law without disclosure – should I report it?
• Why isn't a confidence level of anything >50% "good enough"?
• What was IBM VS/PC?
• Do US universities invite faculty applicants from outside the US for an interview?
• What is this aircraft from the TV series "Fear the Walking Dead"?
• Using NDSolve to solve the PDEs and their reduced ODEs yields inconsistent results
• Simulate Minecraft Redstone | Where to start?
• Improper Subpanel Concerns
• Do you believe something to be the truth or do you know the truth?
• Understanding the parabolic state of a quantum particle in the infinite square well
• Is the 2024 Ukrainian invasion of the Kursk region the first time since WW2 Russia was invaded?