Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
1
Replies

SHOW commands without ENABLE...?

jnerlinger
Level 1
Level 1

‎03-11-2015 03:20 PM - edited ‎03-10-2019 10:32 PM

I have a user who has been given read-only, privilege level 1, access and wants the ability to use the various SHOW commands.  We have ACS running in this environment.  Is there a way, through ACS, to give him these commands?  

Policy Elements/Authorization and Permissions/Device Administration/Shell Profiles has ReadOnly with all shell attributes set to not in use, default/max privilege set to 1, nothing extra in custom attributes.  Same set of submenus, Command Sets, Limited has "Permit" "SHOW" with no arguments listed.  Under Access Policies, Standard Device Admin, Authorization, I have a rule for the identity group assigned to the user in all locations and all device types that assigns the shell profile of ReadOnly and the command set of Limited.  However, the user cannot perform any such commands

What am I missing?  Is there another way to do this?  As I said, the key is to provide the show commands without the ability to make changes to the devices.

Labels:
0 Helpful
1 Reply 1

mlovellette
Level 4
Level 4

‎03-19-2015 12:49 PM

Yes this can be done and it sounds like you have ACS configured correctly.  However, I am not sure if all show commands will be available without entering enable mode.  For example, show interfaces is not available until after you enter enable mode.

What AAA commands do you have running on the devices?

I am doing pretty much what you're doing but I allow the user to enter enable mode and then restrict them to a hand full of commands.  Also, I have ACS controlling the enable password on a per user basis.

 

0 Helpful
Customers Also Viewed These Support Documents