Solved: You will need to define local

Michael Cole · ‎05-21-2014

We are looking to possibly delegate setting up AnyConnect to our Helpdesk (limited to ASDM, adding Apple UDIDs to a Access Policy.) The question I have is what privilege level should be assigned that will allow them to add the UDID and limit (as much as possible) other changes?

Marvin Rhoads · ‎05-21-2014

You will need to define local command authorization at custom privilege level at a level between 1-15 and assign the necessary commands to it (e.g Access-list, Configure, cmd in your example). Then assign your Helpdesk usernames that privilege level.

I don't believe you can restrict which access-lists they can edit - that's outside the scope of what you can do with ASDM (or the cli). you'd have to move to CSM or an external portal with more role-based access control tools built-in to get that granular.

See this section of the ASDM Configuration Guide for details.

View solution in original post

Marvin Rhoads · ‎05-21-2014

You will need to define local command authorization at custom privilege level at a level between 1-15 and assign the necessary commands to it (e.g Access-list, Configure, cmd in your example). Then assign your Helpdesk usernames that privilege level.

I don't believe you can restrict which access-lists they can edit - that's outside the scope of what you can do with ASDM (or the cli). you'd have to move to CSM or an external portal with more role-based access control tools built-in to get that granular.

See this section of the ASDM Configuration Guide for details.

Michael Cole · ‎05-22-2014

Thanks, Marvin, that is very helpful. Thank you for taking the time to answer.

What privilege level is required...