ACE 4710: Possible to allow a user to clear counters but nothing else?

BrandonNC · ‎09-01-2011

Hello all,

Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?

Thanks!

chrhiggi · ‎09-07-2011

Hello Brandon-

Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.

i.e.

ACE# conif t

ACE(config)# role MyRole

ACE(config-role)# rule 1 permit modify feature ?

AAA AAA related commands

access-list ACL related commands

connection TCP/UDP related commands

fault-tolerant Fault tolerance related commands

inspect Appln inspection related commands

interface Interface related commands

loadbalance Loadbalancing policy and class commands

pki PKI related commands

probe Health probe related commands

rserver Real server related commands

serverfarm Serverfarm related commands

ssl SSL related commands

sticky Sticky related commands

vip Virtual server related commands

You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.

Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.

Regards,

Chris Higgins

Marko Leopold · ‎09-08-2011

If you are in range for an ACS you can use this. It will allow you to specify the commands a user can execute.