Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
1
Replies

Prime Infrastrcuture TACACs access to specific CLI Templates only

andrewswanson
Level 7
Level 7

‎02-09-2016 05:47 AM

Hello
I'm looking at getting Prime Infrastructure 2.2 configured to:

  • authenticate users via tacacs with Cisco acs
  • cisco acs returns required attributes to authorise user
  • user can then deploy templates to devices in their allocated Virtual Domain

The above works fine except that I can't seem to restrict what templates a user can deploy - they can use any of the prime infrastructure provided templates. I'd like to restrict them to specific templates only. Is this possible? Some of the relevant tacacs attributes used are below

task2=Deploy Configuring Access
task3=Configuration Templates Read Access

thanks
Andy

Labels:
0 Helpful
1 Reply 1

andrewswanson
Level 7
Level 7

‎02-09-2016 06:49 AM

I have a workaround in place for this:

  • Created a Configuration Group and added the required CLI templates and Virtual Domain devices. Users have read only and deploy access so they cannot modify the Configuration Group prior to deployment
  • Unfortunately, users still have access to Configuration > Templates > Features & Technologies which allows them to select any System Defined CLI template and deploy it on any of the Virtual Domain devices. I got round this by removing access the TACACs attribute "task11=Configure Menu Access" so the users cannot access the Configuration menu.
  • To access the Configuration Group, users use the search bar to search for "Configuration Group" - this takes the user directly to the Configuration Group where they can deploy only the selected templates.

Its not perfect but seems to work. Does anyone have any better designs?

Thanks
Andy

Authenticated user's TACACs attributes are below:


virtual-domain1=CAMPUS
role0=User Defined 1
task2=Deploy Configuring Access
task3=Configuration Templates Read Access
task4=Monitor Menu Access
task5=Help Menu Access
task6=Device Reports Read Only
task7=Saved Reports List Read Only
task8=Reports Menu Access
task9=Run Reports List
task12=Search Access
task13=Tools Menu Access
task14=Administration Menu Access
task15=Monitor Clients
task16=Home Menu Access

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card