Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
5
Helpful
3
Replies

Customization of Privilege Level to limit techs ability on switch

Go to solution
MARK CHRISTY
Level 1
Level 1

‎06-09-2017 08:22 AM - edited ‎03-03-2019 08:34 AM

Hello,

I thought I posted this question but can find no evidence of it. So forgive me if I repeat myself.

I would like to find an "examples" of setting a login user to have a limited set of functionality. I searched within IoS command refreences and discovered command "privilege exec level 10 configure". This lets a user with privilege 10 access the exec command "configure". I'm wondering how granular I can make this. I want to have a user who can go to a range of ports (or media type), and have the ability to do a "shut" - "no shut". Also setting the Vlan of a port. So far I've been marginally successful (that's actually a fail).

If anyone has any insight into or a good source of configuration examples using this feature I would appreciate if you shared your insight.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-09-2017 08:55 AM

I don't believe you can restrict it to a range of interfaces but you can certainly allow a tech user to only configure at the interface level.

The feature is known as "role-based access control" or RBAC. A search on that will turn up some good documents. Here are a couple:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

https://www.packetmischief.ca/2015/03/13/role-based-access-control-in-ios/

http://brbccie.blogspot.my/2013/04/privilege-role-based-cli.html

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-09-2017 08:55 AM

I don't believe you can restrict it to a range of interfaces but you can certainly allow a tech user to only configure at the interface level.

The feature is known as "role-based access control" or RBAC. A search on that will turn up some good documents. Here are a couple:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

https://www.packetmischief.ca/2015/03/13/role-based-access-control-in-ios/

http://brbccie.blogspot.my/2013/04/privilege-role-based-cli.html

Go to solution
MARK CHRISTY
Level 1
Level 1

‎06-09-2017 09:18 AM

Excellent examples - I achieved 99% of what I'm needing on the first look at packetmischief! Thank you very much. I'm still playing with it but enabling my Help Desk techs to change a port on a vlan, cycle PoE for a port, simple diagnosis; is just what the doctor ordered.

I'll keep using this! Thanks again.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MARK CHRISTY

‎06-09-2017 09:23 AM

You're welcome. Half the battle is knowing what Cisco calls it. Google usually points me to the rest of it. :)

Thanks for rating.

0 Helpful
Customers Also Viewed These Support Documents