topic ACE RBAC changeto vs. "sh run" in Application Networking

ACE RBAC changeto vs. "sh run"

p.hruby — Mon, 07 Oct 2013 11:42:48 GMT

I have ACE30 in Cat6500 with several contexts configured.

I'd like to restrict some user to be able to access only one context and he should be able enter show commands in this one specific context only.

As soon as I enable "changeto" feature in Admin context, the user is able to enter "sh run" in all contexts.

My config:

Admin context:

role PH-Test-role

rule 11 permit monitor feature changeto

Resticted context:

role PH-Test-role

Nonrestricted context:

role PH-Test-role

rule 1 permit monitor exec

rule 2 permit monitor probe

etc.

Only Admin context is configured for management (ssh, telnet) access.

With this configuration the specific user is able to execute "changeto Restricted" and is also able to execute "sh run" in Restricted context.

Is there a way how to disable show commands in Restricted context in this scenario?

Petr

Jorge Bejarano — Tue, 08 Oct 2013 04:32:20 GMT

Peter,

Here you have the details of the all existing roles:

Probably something like:

rule deny monitor ...

Although if you have a user which cannot even run anyway show command, why would you create even it?

Jorge

p.hruby — Tue, 08 Oct 2013 10:04:29 GMT

Jorge,

rule deny monitor in resticted context doesn't help.

I forgot to mention that users are created on tacacs+/ACS server and roles are assigned via AV pair for them.

I think that the only way to solve my problem is to create management interface on specific context.

Thanks

Petr

Jorge Bejarano — Tue, 08 Oct 2013 16:04:18 GMT

Yes,

Probably you may try to do this by using the ACS features and restricts the tasks the users can/cannot do.

Jorge