Re: 2 privilege 15 accounts with different commands

codemsittc · ‎10-13-2020

Hi Guys,

I have a requirement that need 2 user accounts (privilege 14 and 15) to have the exact same commands except that privilege 14 users will not be able to create user accounts. I will also be using "aaa new-model" and have no radius/tacacs+ server (only local database).

I understand that privilege 15 has the capability to use ALL commands. I also understand that the default privilege 14 accounts has very little access as well and in order to achieve what i want, i would need to configure thousands upon thousands of commands for the privilege 14 user.

My question - Is there a shorter way to achieve what I need?

I was thinking of 2 options.

First option - create 2 privilege 15 users, and remove the "username" command from one of the user. But I dont remember that i can do that.

Second option - configure thousands upon thousands of commands for user with privilege 14.

I am also currently exploring parser view too.

Hope that any kind souls out that will be able to answer my queries.

Georg Pauwen · ‎10-13-2020

Hello,

parser views should work. There is an 'include'exclusive' option which adds a command or an interface to the view and excludes the same command or interface from being added to all other views.

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

codemsittc · ‎10-13-2020

Hi Georg,

You are right.

But i believe that before I can use that command, i would need to make 2 "root" views, and then use the "inclusive" command on one of the views.

is it even possible to create 2 root views.