Solved: You're welcome

dalem00011 · ‎03-07-2017

Hi all,

I need to configure an SSH username and password for a client who wants to integrate Tufin whereby they can create/modify/delete ACL's, as well as create object-groups, routes, NAT statements etc.

Privilege level 15 would ofcourse allow for this, however, I want to restrict certain criteria. Almost customize what they can and can't do.

Ultimately allow for everything mentioned above, but prohibited from doing anything else, ie: Create new SSH access, change passwords etc.

Is this possible? And if so, is there a doc online that can help guide me through this.

Your assistance in this regard would be greatly appreciated.

Thanking you in advance!

- Dale

Francesco Molino · ‎03-07-2017

Hi

Yes you can define each command that can be executed in exec, config, show or clear.

Here's a sample config:

privilege cmd level 5 mode exec command perfmon
privilege cmd level 5 mode exec command dir
privilege cmd level 5 mode exec command ping
privilege cmd level 5 mode exec command who
privilege cmd level 5 mode exec command logging
privilege cmd level 5 mode exec command failover
privilege cmd level 5 mode exec command vpn-sessiondb
privilege cmd level 5 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command mode
privilege show level 5 mode exec command firewall
privilege show level 5 mode exec command asp
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command dns-hosts
privilege show level 5 mode exec command access-list

privilege clear level 5 mode exec command dynamic-filter
privilege clear level 5 mode configure command logging
privilege clear level 5 mode configure command arp
privilege clear level 5 mode configure command aaa-server

You can find the documentation right here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/admin-management.html?bookSearch=true

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-07-2017

Hi

Yes you can define each command that can be executed in exec, config, show or clear.

Here's a sample config:

privilege cmd level 5 mode exec command perfmon
privilege cmd level 5 mode exec command dir
privilege cmd level 5 mode exec command ping
privilege cmd level 5 mode exec command who
privilege cmd level 5 mode exec command logging
privilege cmd level 5 mode exec command failover
privilege cmd level 5 mode exec command vpn-sessiondb
privilege cmd level 5 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command mode
privilege show level 5 mode exec command firewall
privilege show level 5 mode exec command asp
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command dns-hosts
privilege show level 5 mode exec command access-list

privilege clear level 5 mode exec command dynamic-filter
privilege clear level 5 mode configure command logging
privilege clear level 5 mode configure command arp
privilege clear level 5 mode configure command aaa-server

You can find the documentation right here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/admin-management.html?bookSearch=true

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

dalem00011 · ‎03-07-2017

Thanks Francesco, I appreciate your assistance!

Francesco Molino · ‎03-08-2017

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

SSH Access