Re: Privileges

From: Bob Chahal (bob.chahal@xxxxxxxxxxxx)
Date: Sat Jun 09 2001 - 08:17:59 GMT-3

• Next message: Nodir Nazarov: "Re: FatKid Advanced DLSW"
• Previous message: solsun130: "Re: dlsw on lab 17"
• Maybe in reply to: Guy Farber: "Privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I just had quick look at CCO and the Q&A forum and it doesn't look like you
can. If you needed to allow a particular group of users access to show ip
int brief and only that command, a menu would be a good option. Below is a
cut and paste from the Q&A.

############################################################################
###################

Question: Can I use the privilege exec level to allow write term or show
running-config?

Our engineers are not allowed the "enable" password, but they do need to
look at

the running configuration for both debugging purposes and engineering
network

changes.

I''ve tried these commands:

privilege exec level 2 write terminal

privilege exec level 2 write

privilege exec level 2 show running-config

privilege exec level 2 show

but I can never get a listing of running configs without the full enable
password.

What am I doing wrong?

Answer:

This is a common question that comes up when configuring privilege level
access.

Here''s how to do it:
The write terminal/show running-config command shows a blank configuration.

The write terminal/show running-config command will display all of the
commands

that the current user is able to modify (all the commands at or below the
user''s

current privilege level). It should not display commands above the user''s
current

privilege level because of security considerations. If it did, commands like

snmp-server community could be used to modify the current configuration of
the

router and gain complete access to the router.

The show config/show startup-config command will display a full
configuration.

The show config/show startup-config command does not really show the
configuration.

It simply prints out the contents of NVRAM, which just happen to be the

configuration of the router at the time the user does a write memory.

To enable a privileged user to view the entire configuration in memory, the
user

will need to have modify privileges for all commands that are configured on
the

router.

----- Original Message -----
From: "Guy Farber" <gfarber@cisco.com>
To: <ccielab@groupstudy.com>
Sent: Saturday, June 09, 2001 9:44 AM
Subject: Privileges

> Guys,
>
> When giving a privilege to a command with multiple keywords, like "show ip
> interface brief" all the other commands under "show" and so on are
> permitted. Do you know how to deny permission to all other related
commands
> without changing their privilege level one by one?
> --------------------------------------------------------------------------

--
> --------
> Guy Farber                            Tel:     +972 (9) 9700-363
> Systems Engineer                 GSM:  +972 (54) 975-363
> Cisco Systems Israel            Fax:    +972 (9) 9700-019
>                                             Email:  gfarber@cisco.com
> --------------------------------------------------------------------------
--
> --------
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Nodir Nazarov: "Re: FatKid Advanced DLSW"
• Previous message: solsun130: "Re: dlsw on lab 17"
• Maybe in reply to: Guy Farber: "Privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:21 GMT-3