[c-nsp] Privilege levels and Secure ACS
Kim Onnel
karim.adel at gmail.com
Tue Jul 5 11:44:06 EDT 2005
I've had a look at our ACS and i admit its not easy, too many things related
to each other,
What i want to do is make the NOC be able to do everything on PEs for
example but not Ps, another group would be able to configure on one device
but not the other, so can i do this from ACS, or i must do it per
device(make privileges on the devices)
For those who did this with ACS before, please correct me if i am wrong
1) Create two different NDG(network device groups) : P and PEs (for e.g.)
2) Create two different "Command Configuration sets" :
a) All commands (all)
b) limited commands(clear, show, ping,..) (notall)
3) Create different users groups ( Core, NOC,..)
How can I let users group (NOC) use the conf. set (all) on NDG: (PEs) and
when accessing NDG: (P) use the conf. set (notall)
I hope i explained it well.
Regards
On 7/5/05, Jee Kay <jeekay at gmail.com> wrote:
>
> On 7/5/05, Brett Looney <brett at looney.id.au> wrote:
>
> > This is true (for "show running") and mentioned in the documentation
> > somewhere (can't find it right now). However, (as mentioned previously
> by
> > Serguei Bezverkhi) you can give people access to the "show config" and
> > "show startup" commands at privilege levels less than 15 so it's kind of
> > pointless...
>
> Is 'show config' the same as 'show startup' ? The problem we have here
> is that due to policy we don't always 'write mem' immediately, which
> can obviously cause interesting troubleshooting problems when support
> can't see the actual real config.
>
> The other reason for wanting 'show run' specifically is that 'show run
> int x' is just too useful to discard.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list