I have ACE30 in Cat6500 with several contexts configured.
I'd like to restrict some user to be able to access only one context and he should be able enter show commands in this one specific context only.
As soon as I enable "changeto" feature in Admin context, the user is able to enter "sh run" in all contexts.
rule 11 permit monitor feature changeto
rule 1 permit monitor exec
rule 2 permit monitor probe
Only Admin context is configured for management (ssh, telnet) access.
With this configuration the specific user is able to execute "changeto Restricted" and is also able to execute "sh run" in Restricted context.
Is there a way how to disable show commands in Restricted context in this scenario?
Here you have the details of the all existing roles:
Probably something like:
Although if you have a user which cannot even run anyway show command, why would you create even it?
I forgot to mention that users are created on tacacs+/ACS server and roles are assigned via AV pair for them.
I think that the only way to solve my problem is to create management interface on specific context.