I need your help please; I have 2 groups of admin users to manage my Cisco routers and switches each group with different level,
- one of them have full access privileges 15 (OSPF; BGP; IP addresses...) no problem for this grape
- the second one should have less access, he can change the config of some interfaces but not for the WAN interfaces for examples; he should not touch to routing protocols...
any idea how to configure for the second group?
You can use role-based cli access.
I don't believe you can differentitate between interfaces once you give the rights to a given view (user level) to do interface level configuration, so your WAN routers may have some limitation in that regard.
Here are a couple of links explaining it in more detail:
You could stitch something together externally with some network automation.
Something homegrown like read-only script in a repository that allows an authenticated lower-privileged operator to execute a pre-defined set of allowed changes. You would use something like sshkey for authentication between the host running the script and the switch or router.
Higher level of abstraction systems like Tail-F (now Cisco NSO) can also do this as part of their automation and orchestration capabilities.