Re: ASA authorize a user to create user with only lower priviledge level.

freemanli01 · ‎01-09-2018

Scenario:

I as an admin, and assign admin5 a privilege 5. so that he can create new users, let's say user3.

The problem is. how to restrict admin5 can only create user with privilege level lower than its own.

otherwise, even admin5 only have priviledge 5, he can create a new user with privilege 15.

denilson.mota · ‎01-09-2018

Hi,

If you using any type of AAA server authentication like TACACS you can manage the privilege from there or from ASDM you can go to device manager>> AAA access>>>Authorization and manage the privilege from the specific user or group.

Hope this help!

freemanli01 · ‎01-10-2018

@denilson.mota wrote:

Hi,

If you using any type of AAA server authentication like TACACS you can manage the privilege from there or from ASDM you can go to device manager>> AAA access>>>Authorization and manage the privilege from the specific user or group.

Hope this help!

====================

Hello,

Thanks for the quick reply,

I may need more explanation on my scenario:

1. Me: admin of the ASA, privilege 15

I create an authorization policy, which allow some user (like noc_user1) with privilege 5 to create new users (like vpn_user1).

2. my question is: How to restrict user noc_user1 can only create new users with lower privilege.

which means, any user with privilege 5 (and have been authorized to create new user), can

only create new users with privilege level lower than or equal to 5 (the creator's level)

--------------

I am currently using LOCAL database, but the question is same to Radius or Tacacs+.

#privilege cmd level 5 mode exec command username