From: Christian Zeng (christian@zengl.net)
Date: Fri Jan 04 2008 - 17:47:48 ARST
Hi,
* YourPal wrote on 04.01.2008 19:03:
> In summary, my requirement of allowing a user to view the complete "sh run"
> but not permitting him to configure anything cannot be achieved.
It is possible. You can assign all needed config mode commands down to
level 7, but leave all exec level commands (except for sh run) at level
15. This way, a show run lists all config commands assigned to level 7,
but the user is not able to switch into config mode or do any other
stuff on the exec level that requires level 15 like copy or write.
A better and more scalable approach is to use an external authentication
server with command authorization. You can leave all commands at the
default level, but based on profile information on that server you allow
or reject certain commands (like configure).
Christian
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:57 ARST