[c-nsp] 'privilege level' syntax
Clinton Work
clinton at scripty.com
Fri Sep 23 17:04:13 EDT 2005
I have been trying to restrict a router running 12.0(26)S5 to just ping,
traceroute, and show ip route. The following config works for the most part,
but it allows users (priv level 1) to view the flash filesystems. I have
tried setting the privilege level for "show flash" and "show bootflash:" to
15, but it doesn't help. Any ideas?
router> show ?
route IP routing table
bootflash: display information about bootflash: file system
slot0: display information about slot0: file system
slot1: display information about slot1: file system
Privilege config:
privilege exec level 1 traceroute
privilege exec level 15 ping ip
privilege exec level 1 ping
privilege exec level 1 <other exec commands>
...
privilege exec level 5 enable
privilege exec level 15 show mls
privilege exec level 15 show dss
privilege exec level 15 show tcp
privilege exec level 15 show <other show commands>
...
privilege exec level 1 show
privilege exec level 1 show ip
privilege exec level 1 show ip route
I have tried the privilege exec all command for show, but you can't
override it for one sub-command with something like:
privilege exec all level 15 show
privilege exec level 1 show ip
privilege exec level 1 show ip route
Dennis Peng wrote:
> Peter Hicks [peter.hicks at poggs.co.uk] wrote:
>
>
> The privilege command does not allow such fine granularity, so it
> would not be possible to implement such a policy.
>
> Dennis
>
--
===================================================
Clinton Work clinton at scripty.com
Calgary, AB
More information about the cisco-nsp
mailing list