I have ACE30 in Cat6500 with several contexts configured.
I'd like to restrict some user to be able to access only one context and he should be able enter show commands in this one specific context only.
As soon as I enable "changeto" feature in Admin context, the user is able to enter "sh run" in all contexts.
rule 11 permit monitor feature changeto
rule 1 permit monitor exec
rule 2 permit monitor probe
Only Admin context is configured for management (ssh, telnet) access.
With this configuration the specific user is able to execute "changeto Restricted" and is also able to execute "sh run" in Restricted context.
Is there a way how to disable show commands in Restricted context in this scenario?
Here you have the details of the all existing roles:
Probably something like:
rule deny monitor ...
Although if you have a user which cannot even run anyway show command, why would you create even it?
rule deny monitor in resticted context doesn't help.
I forgot to mention that users are created on tacacs+/ACS server and roles are assigned via AV pair for them.
I think that the only way to solve my problem is to create management interface on specific context.
Probably you may try to do this by using the ACS features and restricts the tasks the users can/cannot do.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: