https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570950#M603928 <HTML><HEAD></HEAD><BODY><P>Hi Sachin,</P><P></P><P>Appreciate your effort in this post, most informative however it doesnt address my question. Ie. Does the ASA support views/roles, as IOS does?</P><P></P><P>Thanks</P><P>Rgds</P><P>Scott</P></BODY></HTML> Thu, 09 Sep 2010 23:11:07 GMT Scott Cannon 2010-09-09T23:11:07Z https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570947#M603925 <P>Hi Guys,</P><P></P><P>Can anyone tell me if the ASA supports views in the same manner IOS does? If so, can you tell me what version this functionlaity was made available in?</P><P></P><P>TIA</P><P>Rgds</P><P>Scott</P> Mon, 11 Mar 2019 18:37:27 GMT https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570947#M603925 Scott Cannon 2019-03-11T18:37:27Z https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570948#M603926 <HTML><HEAD></HEAD><BODY><P>Hi Scott,</P><P></P><P>When you enable command authorization, then only you have the option of manually assigning privilege levels to individual commands or groups of commands.</P><P></P><P>---</P><P>To configure privilege access levels on cisco asa commands there are 4 steps involved in this&nbsp; as follows:</P><P><BR />1. Enable command authorization ( LOCAL in this case means , keep the command authorization configuration on the firewall ) :</P><P><STRONG>aaa authorization command LOCAL</STRONG></P><P></P><P>2. You can define commands you want to use on a certain level, for example these commands will enable a user in privilege level 5 to view and clear crypto tunnels</P><P></P><P><STRONG>privilege show level 5 command crypto<BR />privilege clear level 5 command crypto</STRONG></P><P></P><P>3. Create a user and assign the privilege level to her/him :</P><P></P><P><STRONG>username userName password userPass privilege 5</STRONG></P><P></P><P>4. Create an enable password for the new privilege level :</P><P></P><P><STRONG>enable password enablePass level 5</STRONG></P><P></P><P>Now when the user logs in she/he can type :</P><P><STRONG>enable 5</STRONG></P><P></P><P>Enter the password from step for and they will be able to run the above crypto commands.</P><P>---<BR />To add a user to the security appliance database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove. To remove all usernames, use the no version of this command without appending a username.</P><P></P><P><STRONG>username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]</STRONG></P><P></P><P>This privilege level is used with command authorization.</P><P><STRONG>no username name</STRONG></P><P>----------</P><P>In general you can use this version of username command as well for simple config:</P><P></P><P><STRONG>username <NAME> password <PASSWORD> privilege <LEVEL></LEVEL></PASSWORD></NAME></STRONG></P><P><BR />e.i.&nbsp; (lever 15 allows full EXEC mode access - as well as all ASDM features)</P><P><BR /><STRONG>username sachingarg password </STRONG><A href="https://community.cisco.com/"><STRONG>HC!@%$</STRONG></A><STRONG>#@! privilege 15</STRONG></P><P><BR /><STRONG>The default privilege level is 2.</STRONG></P><P><BR />Please remember as I have said above that access levels (1-15) aren't relevant much unless you authorize command authorization:</P><P><BR /><STRONG>aaa authorization command LOCAL</STRONG></P><P>---</P><P>Viewing Command Privilege Levels</P><P><BR />The following commands let you view privilege levels for commands.</P><P></P><P>•To show all commands, enter the following command:</P><P>hostname(config)# <STRONG>show running-config all privilege all</STRONG></P><P><STRONG><BR /></STRONG>•To show commands for a specific level, enter the following command:</P><P>hostname(config)# <STRONG>show running-config privilege level level</STRONG></P><P><BR />The level is an integer between 0 and 15.</P><P></P><P>•To show the level of a specific command, enter the following command:</P><P>hostname(config)# <STRONG>show running-config privilege command command</STRONG></P><P><STRONG><BR /></STRONG>For example, for the show running-config all privilege all command, the system displays the current assignment of each CLI command to a privilege level. The following is sample output from the command.</P><P></P><P>hostname(config)# <STRONG>show running-config all privilege all<BR /></STRONG>privilege show level 15 command aaa<BR />privilege clear level 15 command aaa<BR />privilege configure level 15 command aaa<BR />privilege show level 15 command aaa-server<BR />privilege clear level 15 command aaa-server<BR />privilege configure level 15 command aaa-server<BR />privilege show level 15 command access-group<BR />privilege clear level 15 command access-group<BR />privilege configure level 15 command access-group<BR />privilege show level 15 command access-list<BR />privilege clear level 15 command access-list<BR />privilege configure level 15 command access-list<BR />privilege show level 15 command activation-key<BR />privilege configure level 15 command activation-key<BR />....<BR />The following command displays the command assignments for privilege level 10:</P><P></P><P>hostname(config)# <STRONG>show running-config privilege level 10</STRONG><BR />privilege show level 10 command aaa</P><P><BR />The following command displays the command assignment for the access-list command:</P><P>hostname(config)# <STRONG>show running-config privilege command access-list<BR /></STRONG>privilege show level 15 command access-list<BR />privilege clear level 15 command access-list<BR />privilege configure level 15 command access-list</P><P><BR />ciscoasa5520# <STRONG>show run all username</STRONG><BR />ciscoasa5520# <STRONG>show run all privilege | grep pwd</STRONG></P><P>-----</P><P>Kindly find some useful references in this regard as follows:<BR />username&nbsp; cli syntax<BR /><A href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1568449">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1568449</A></P><P><BR />Additional reference for aaa authorization command <BR /><A href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175</A></P><P></P><P>For ASDM:<BR /><A href="http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html">http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html</A></P><P></P><P>Managing System Access (best for beginners)<BR /><A href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1042040">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1042040</A></P><P></P><P>You can configure privilege levels on the ASA through the AAA configuration.&nbsp; Take a look at: <BR /><A href="http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html">http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html</A></P><P></P><P></P><P>For Master Collection of&nbsp; Cisco ASA Config&nbsp; Examples links kindly refer the following URL:</P><P></P><DIV class="heading">And seek more examples in the secion for Authentication, Authorization and Accounting (AAA) :</DIV><DIV class="heading"><A href="http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html">http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html</A></DIV><P></P><P>Please keep in touch for any further query in this regard. Please rate if you find the above mentioned information of any use to you.</P><P></P><P>HTH</P><P></P><P>Sachin Garg</P><P></P><P>Message was edited by: sachinga.hcl</P></BODY></HTML> Thu, 09 Sep 2010 11:37:29 GMT https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570948#M603926 sachinga.hcl 2010-09-09T11:37:29Z https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570949#M603927 <HTML><HEAD></HEAD><BODY><P>Hi Scott</P><P></P><P>No is the simple answer to your Q, the ASA does NOT support views.</P><P></P><P>Although if you want to restrict access to the device then you can use AAA, see the post above for details.</P><P></P><P>cheers</P></BODY></HTML> Thu, 09 Sep 2010 21:24:52 GMT https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570949#M603927 golly_wog 2010-09-09T21:24:52Z https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570950#M603928 <HTML><HEAD></HEAD><BODY><P>Hi Sachin,</P><P></P><P>Appreciate your effort in this post, most informative however it doesnt address my question. Ie. Does the ASA support views/roles, as IOS does?</P><P></P><P>Thanks</P><P>Rgds</P><P>Scott</P></BODY></HTML> Thu, 09 Sep 2010 23:11:07 GMT https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570950#M603928 Scott Cannon 2010-09-09T23:11:07Z https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570951#M603929 <HTML><HEAD></HEAD><BODY><P>Thanks Golly, not the answer I wanted to hear but appreciated all the same.</P><P></P><P>Rgds</P><P>Scott</P></BODY></HTML> Thu, 09 Sep 2010 23:12:12 GMT https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/1570951#M603929 Scott Cannon 2010-09-09T23:12:12Z https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/3214619#M603930 <P>Thank you for not only answering the question, but providing the equivalent to IOS VIEWS in ASA using the PRIVILEGE command.&nbsp; Very thorough.</P> Fri, 10 Nov 2017 15:51:46 GMT https://community.cisco.com/t5/network-security/asa-privilege-levels-views/m-p/3214619#M603930 bcoverstone 2017-11-10T15:51:46Z