06-09-2017 08:22 AM - edited 03-03-2019 08:34 AM
Hello,
I thought I posted this question but can find no evidence of it. So forgive me if I repeat myself.
I would like to find an "examples" of setting a login user to have a limited set of functionality. I searched within IoS command refreences and discovered command "privilege exec level 10 configure". This lets a user with privilege 10 access the exec command "configure". I'm wondering how granular I can make this. I want to have a user who can go to a range of ports (or media type), and have the ability to do a "shut" - "no shut". Also setting the Vlan of a port. So far I've been marginally successful (that's actually a fail).
If anyone has any insight into or a good source of configuration examples using this feature I would appreciate if you shared your insight.
Solved! Go to Solution.
06-09-2017 08:55 AM
I don't believe you can restrict it to a range of interfaces but you can certainly allow a tech user to only configure at the interface level.
The feature is known as "role-based access control" or RBAC. A search on that will turn up some good documents. Here are a couple:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
https://www.packetmischief.ca/2015/03/13/role-based-access-control-in-ios/
http://brbccie.blogspot.my/2013/04/privilege-role-based-cli.html
06-09-2017 08:55 AM
I don't believe you can restrict it to a range of interfaces but you can certainly allow a tech user to only configure at the interface level.
The feature is known as "role-based access control" or RBAC. A search on that will turn up some good documents. Here are a couple:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
https://www.packetmischief.ca/2015/03/13/role-based-access-control-in-ios/
http://brbccie.blogspot.my/2013/04/privilege-role-based-cli.html
06-09-2017 09:18 AM
Excellent examples - I achieved 99% of what I'm needing on the first look at packetmischief! Thank you very much. I'm still playing with it but enabling my Help Desk techs to change a port on a vlan, cycle PoE for a port, simple diagnosis; is just what the doctor ordered.
I'll keep using this! Thanks again.
06-09-2017 09:23 AM
You're welcome. Half the battle is knowing what Cisco calls it. Google usually points me to the rest of it. :)
Thanks for rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide