From: David L Stewart (D.Stewart@xxxxxxxxxxxxxxx)
Date: Tue Aug 06 2002 - 08:16:54 GMT-3
I know of no way to take a command away from a single user.
You can assign a user a particular priv level.
You can take it away from a particular priv level. Does
it really say "show" command or is it an enable command?
It would make more sense to be one of the enable mode
commands, like "configure". Then, you can make a priv
level just for that person (from 2 to 14).
The key here is to realize that the levels inherit commands.
Since the show command is valid for unenabled mode, priv
level 1, the user who cannot use "show" should be placed
on level 0. This is because all other levels will be
able to do a "show" already. The only one that can't is
priv level 0. (But he can't do anything unless explicitly
configured.)
username ciscousr privilege 0 password 0 ciscopwd
Then, you need to add the commands they _are_ allowed,
leaving out "show
privilege exec level 0 connect
privilege exec level 0 telnet
privilege exec level 0 rlogin
privilege exec level 0 ping
privilege exec level 0 traceroute
...
remember that the allowed commands are compound. This
means that you must be explicit or everything that
starts with that word is allowed.
If anyone can think of how to take "show" away from priv
level 1 (or 2-15 for that matter), please post it.
Dave
-
At 06:55 PM 8/5/2002, Pei Gang Zhang wrote:
>question:
> there are many users on router, please limit the user who's password is
>'test' that can not use 'show 'command.
> how to config?
>
>
>Zhang Peigang
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:17 GMT-3