I am trying to ONLY allow "show ip nat translations" to a user in privilege
10
Restriction: I can't use role based CLI access to solve this or centralized
authorization ( i.e TACACS ... )
My solution which works is to take all the shows and put them under priv 15
, except for the "show ip nat translations" :
priv exec level 15 show aaa
priv exec level 15 show aal2
priv exec level 15 show access-expression
priv exec level 15 show access-lists
priv exec level 15 show adjacency
< ... continue with all the remaining possible shows, then>
priv exec level 15 show ip nat statistics
priv exec level 15 show ip nat nvi
priv exec level 10 show ip nat translations
priv exec level 10 show ip nat
priv exec level 10 show ip
Question: is there a quicker way to do this?
Note: You probably know this, but the solution which consists in writting
just one line:
"priv exec level 10 show ip nat translations" does not fulfill the
requirement because it allows more than is requested.
Here is what you get while in privilege 10.
R2#sh ip nat ?
nvi NVI information
statistics Translation statistics
translations Translation entries
and others show
R2#show ?
aaa Show AAA values
aal2 Show commands for AAL2
access-expression List access expression
access-lists List access lists
adjacency Adjacent nodes
aliases Display alias commands
alps Alps information
< more output ...>
Any workaround?
Thanks
Pierre
Blogs and organic groups at http://www.ccie.net
Received on Fri Aug 26 2011 - 13:46:39 ART
This archive was generated by hypermail 2.2.0 : Thu Sep 01 2011 - 06:05:56 ART