Creating a limited admin user account on an ASA?

benweber — Tue, 12 Mar 2019 04:08:21 GMT

Hi All,

Wondering if this is possible. I want to create a user account on an ASA running 9.1(4) that just has the ability to create and delete other user accounts. This ASA is running a webvpn with local authentication and I want the local folks to be able to add and remove user accounts but not to be able to do anything else to modify the config.

I've done a similar thing in the past so that users could issue specific "show" commands by creating a local account with a privilege level of 6 and then allowing that account the ability to issue show commands with the following lines:

username nopriv password <removed> privilege 6

privilege show level 6 mode exec command startup-config

Is it possible to do the same so that they only have access to the "username" commands?

Thanks,

Ben

The ASA has RBAC (Role-Based

Marvin Rhoads — Tue, 29 Apr 2014 17:20:54 GMT

The ASA has RBAC (Role-Based Access Control) similar to IOS. In ASDM, first customize the desired command privileges to apply to a level <15 (Configuration > Device Management > Users/AAA > AAA Access >Authorization).

Then, from the User Accounts menu in the same Configuration pane, create your limited admin users and modify their privilege level to the one you just customized.

topic The ASA has RBAC (Role-Based in Network Security

Creating a limited admin user account on an ASA?

The ASA has RBAC (Role-Based