05-03-2010 11:19 PM - edited 03-11-2019 10:40 AM
Hi
We use a FWSM, version 4.0(6) with ASDM, version 6.1(5)F
I need to build a userrole for a user who can just configure existing access-lists in ASDM. I decided to use privilege level 7 for that role.
First I created the ASDM defines user roles (Admin (15), read only (5) & monitor only (3)).
Then I tried to give a level 7 user access to the configuration of access-lists:
privilege cmd level 7 mode configure command configure
privilege cmd level 7 mode configure command access-list
Solved! Go to Solution.
05-06-2010 10:10 AM
With ASDM I am afraid not, you could do it with CLI and level 7 that you tried to do there. But ASDM will not honor it.
What you could do to hack it is to create a new level 15 user and do command authorization for that user. ASDM will let him do whatever he wants, but when he tries to push the commands the ASA will try to authorize these commands and fail all except for the ACL ones.
I hope it makes sense.
PK
05-04-2010 08:54 AM
ASDM will not understand level different than 3 ,5 and 15.
Even though it can be more granular for CLI command authorization, ASDM does not know about these user priv levels, so it will not enforce it.
PK
05-04-2010 10:53 PM
PK,
Thanks for your answer. It's interresting to know that ASDM is just aware about levels 3, 5 & 15.
Now I decided to change the level 5 to give access to the access-list configuration.
privilege cmd level 5 mode configure command configure
privilege cmd level 5 mode configure command access-list
But even theese settings don't affect anything. A user 5 is still not able to configure access-lists in ASDM.
Does this mean that I cannot change the privileges for ASDM at all?
Thanks again
Patrik
05-05-2010 06:10 AM
If you go into ASDM and go under AAA Authentication you will see a button that says something like "Set ADM privelege levels". Using that will move the commands to the levels that you need for ASDM to enforce it.
Note that ASDM 6.0 had a couple of defects related to this. The latest 6.2 versions work fine.
I hope it helps.
PK
05-06-2010 02:59 AM
Unfortunately this doesn't help.
I already set the ASDM Levels (which are 3,5, & 15). But level 3 & 5 are not able to configure access-lists in ASDM, and I cannot give level 15 to our sysadmins.
I use ASDM 6.2(5) with my ASAs 8.2(2).
Question:
Is it possible to configure the privileges that someone is only able to configure access-lists and nothing else?
If yes, how can that be done?
Thanks
Patrik
05-06-2010 10:10 AM
With ASDM I am afraid not, you could do it with CLI and level 7 that you tried to do there. But ASDM will not honor it.
What you could do to hack it is to create a new level 15 user and do command authorization for that user. ASDM will let him do whatever he wants, but when he tries to push the commands the ASA will try to authorize these commands and fail all except for the ACL ones.
I hope it makes sense.
PK
05-06-2010 10:05 PM
PK,
Thanks for your clarification.
Patrik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide