https://community.cisco.com/t5/network-security/ssh-access/m-p/3024064#M145971 <P>Hi all,</P> <P></P> <P>I need to configure an SSH username and password for a client who wants to integrate Tufin whereby they can create/modify/delete ACL's, as well as create object-groups, routes, NAT statements etc.</P> <P></P> <P>Privilege level 15 would ofcourse allow for this, however, I want to restrict certain criteria. Almost customize what they can and can't do.</P> <P></P> <P>Ultimately allow for everything mentioned above, but prohibited from doing anything else, ie: Create new SSH access, change passwords etc.</P> <P></P> <P>Is this possible? And if so, is there a doc online that can help guide me through this.</P> <P></P> <P>Your assistance in this regard would be greatly appreciated.</P> <P></P> <P>Thanking you in advance!</P> <P></P> <P>&nbsp;- Dale</P> Tue, 12 Mar 2019 09:01:36 GMT dalem00011 2019-03-12T09:01:36Z https://community.cisco.com/t5/network-security/ssh-access/m-p/3024064#M145971 <P>Hi all,</P> <P></P> <P>I need to configure an SSH username and password for a client who wants to integrate Tufin whereby they can create/modify/delete ACL's, as well as create object-groups, routes, NAT statements etc.</P> <P></P> <P>Privilege level 15 would ofcourse allow for this, however, I want to restrict certain criteria. Almost customize what they can and can't do.</P> <P></P> <P>Ultimately allow for everything mentioned above, but prohibited from doing anything else, ie: Create new SSH access, change passwords etc.</P> <P></P> <P>Is this possible? And if so, is there a doc online that can help guide me through this.</P> <P></P> <P>Your assistance in this regard would be greatly appreciated.</P> <P></P> <P>Thanking you in advance!</P> <P></P> <P>&nbsp;- Dale</P> Tue, 12 Mar 2019 09:01:36 GMT https://community.cisco.com/t5/network-security/ssh-access/m-p/3024064#M145971 dalem00011 2019-03-12T09:01:36Z https://community.cisco.com/t5/network-security/ssh-access/m-p/3024065#M145975 <P>Hi&nbsp;</P> <P>Yes you can define each command that can be executed in exec, config, show or clear.&nbsp;</P> <P></P> <P>Here's a sample config:&nbsp;</P> <P>privilege cmd level 5 mode exec command perfmon<BR />privilege cmd level 5 mode exec command dir<BR />privilege cmd level 5 mode exec command ping<BR />privilege cmd level 5 mode exec command who<BR />privilege cmd level 5 mode exec command logging<BR />privilege cmd level 5 mode exec command failover<BR />privilege cmd level 5 mode exec command vpn-sessiondb<BR />privilege cmd level 5 mode exec command packet-tracer<BR />privilege cmd level 5 mode exec command export<BR />privilege show level 5 mode exec command import<BR />privilege show level 5 mode exec command running-config<BR />privilege show level 5 mode exec command mode<BR />privilege show level 5 mode exec command firewall<BR />privilege show level 5 mode exec command asp<BR />privilege show level 5 mode exec command cpu<BR />privilege show level 5 mode exec command interface<BR />privilege show level 5 mode exec command clock<BR />privilege show level 5 mode exec command dns-hosts<BR />privilege show level 5 mode exec command access-list</P> <P>privilege clear level 5 mode exec command dynamic-filter<BR />privilege clear level 5 mode configure command logging<BR />privilege clear level 5 mode configure command arp<BR />privilege clear level 5 mode configure command aaa-server</P> <P></P> <P>You can find the documentation right here:&nbsp;</P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/admin-management.html?bookSearch=true</P> <P></P> <P>Thanks&nbsp;</P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> Wed, 08 Mar 2017 03:14:23 GMT https://community.cisco.com/t5/network-security/ssh-access/m-p/3024065#M145975 Francesco Molino 2017-03-08T03:14:23Z https://community.cisco.com/t5/network-security/ssh-access/m-p/3024066#M145980 <P>Thanks Francesco, I appreciate your assistance!</P> Wed, 08 Mar 2017 06:36:24 GMT https://community.cisco.com/t5/network-security/ssh-access/m-p/3024066#M145980 dalem00011 2017-03-08T06:36:24Z https://community.cisco.com/t5/network-security/ssh-access/m-p/3024067#M145985 <P>You're welcome</P> Wed, 08 Mar 2017 14:39:39 GMT https://community.cisco.com/t5/network-security/ssh-access/m-p/3024067#M145985 Francesco Molino 2017-03-08T14:39:39Z