cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
3
Replies

user access

mohameddz
Level 1
Level 1

Hi all;


I need your help please; I have 2 groups of admin users to manage my Cisco routers and switches each group with different level,

- one of them have full access privileges 15 (OSPF; BGP; IP addresses...) no problem for this grape

- the second one should have less access, he can change the config of some interfaces but not for the WAN interfaces for examples; he should not touch to routing protocols...


any idea how to configure for the second group?


regards.

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

You can use role-based cli access.

I don't believe you can differentitate between interfaces once you give the rights to a given view (user level) to do interface level configuration, so your WAN routers may have some limitation in that regard.

Here are a couple of links explaining it in more detail:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

https://www.packetmischief.ca/2015/03/13/role-based-access-control-in-ios/

thanks for your reply Marvin;

that what I found befor, so I think that ther is no solution to give access to some interfaces only.

regards

You're welcome.

You could stitch something together externally with some network automation.

Something homegrown like read-only script in a repository that allows an authenticated lower-privileged operator to execute a pre-defined set of allowed changes. You would use something like sshkey for authentication between the host running the script and the switch or router.

Higher level of abstraction systems like Tail-F (now Cisco NSO) can also do this as part of their automation and orchestration capabilities.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: