10-07-2013 04:42 AM
I have ACE30 in Cat6500 with several contexts configured.
I'd like to restrict some user to be able to access only one context and he should be able enter show commands in this one specific context only.
As soon as I enable "changeto" feature in Admin context, the user is able to enter "sh run" in all contexts.
My config:
Admin context:
role PH-Test-role
rule 11 permit monitor feature changeto
Resticted context:
role PH-Test-role
Nonrestricted context:
role PH-Test-role
rule 1 permit monitor exec
rule 2 permit monitor probe
etc.
Only Admin context is configured for management (ssh, telnet) access.
With this configuration the specific user is able to execute "changeto Restricted" and is also able to execute "sh run" in Restricted context.
Is there a way how to disable show commands in Restricted context in this scenario?
Petr
10-07-2013 09:32 PM
Peter,
Here you have the details of the all existing roles:
Probably something like:
rule
Although if you have a user which cannot even run anyway show command, why would you create even it?
Jorge
10-08-2013 03:04 AM
Jorge,
rule
I forgot to mention that users are created on tacacs+/ACS server and roles are assigned via AV pair for them.
I think that the only way to solve my problem is to create management interface on specific context.
Thanks
Petr
10-08-2013 09:04 AM
Yes,
Probably you may try to do this by using the ACS features and restricts the tasks the users can/cannot do.
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide