[c-nsp] Privilege levels and Secure ACS

[Kim Onnel]

I've had a look at our ACS and i admit its not easy, too many things related 
to each other,

What i want to do is make the NOC be able to do everything on PEs for 
example but not Ps, another group would be able to configure on one device 
but not the other, so can i do this from ACS, or i must do it per 
device(make privileges on the devices)

For those who did this with ACS before, please correct me if i am wrong

1) Create two different NDG(network device groups) : P and PEs (for e.g.)

2) Create two different "Command Configuration sets" : 
a) All commands (all)
b) limited commands(clear, show, ping,..) (notall)

3) Create different users groups ( Core, NOC,..)

How can I let users group (NOC) use the conf. set (all) on NDG: (PEs) and 
when accessing NDG: (P) use the conf. set (notall) 

I hope i explained it well.

Regards




On 7/5/05, Jee Kay <jeekay at gmail.com> wrote:
> 
> On 7/5/05, Brett Looney <brett at looney.id.au> wrote:
> 
> > This is true (for "show running") and mentioned in the documentation
> > somewhere (can't find it right now). However, (as mentioned previously 
> by
> > Serguei Bezverkhi) you can give people access to the "show config" and
> > "show startup" commands at privilege levels less than 15 so it's kind of
> > pointless...
> 
> Is 'show config' the same as 'show startup' ? The problem we have here
> is that due to policy we don't always 'write mem' immediately, which
> can obviously cause interesting troubleshooting problems when support
> can't see the actual real config.
> 
> The other reason for wanting 'show run' specifically is that 'show run
> int x' is just too useful to discard.
> 
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>