enable parser view command on ACS 5.X

yong khang NG · ‎03-11-2013

Hi all,

Would like to check out is it possible binding Cisco secure ACS 5.x to support router/switch ios feature view - superview and parser command

Busines objective is assigning administrative roles, with different role based CLI access, using ACS5.X as backend server.

a. Admin (allow all)

b. network monitor (privlege # 7, enable view that can doing various show command and configure)

c. support (privlege #1, read only)

Thanks

Noel

maldehne · ‎03-12-2013

You need to create three shell profiles

Full --> set maximum privilege to 15

Monitor --> set maximum privilege to 7

support --> set maximum privilege to 1

You need to create three command sets

FullSet --> check permit any command that is not in the table below

MonitorSet --> permit the commands that you want

SupportSet --> add permit the show commands only

Then you need to edit the authorization policy to create three rules

Rule 1 : If user is member of identity group admin ..result should be Full shell profile and FullSet command set

Rule 2 :If user is member of identity group Monitor ..result should eb Monitr shell profile and MonitorSet command set

Rule 3:If user is member of support identity group .. result should be Support shell profile and SupportSet command set

You need to customize the authorization policy to add

identity group to conditions

shell profiles and command sets to results

check this link as a reference:

---------------------------------------------------------------------------------------------------------------

Please make sure to rate correct answers

yong khang NG · ‎03-13-2013

Hi

Thanks for reply.

It sound complex, but i try get it work