this might be too restrictive, did they only want that ONE command 'show ip
nat translation', my menu gives them the 'logout' command...
a different approach is to use a menu (i used 'sh ip int br' cause i didnt
have a nat table to show):
username nat privilege 10 password 0 nat
username nat autocommand menu NAT
menu NAT title ^C
Nat Menu
^C
menu NAT prompt ^C
Please enter your selection: ^C
menu NAT text 2 show ip int br
menu NAT command 2 show ip int br
menu NAT text Exit Exit
menu NAT command Exit logout
--
Garry L. Baker
"With sufficient thrust, pigs fly just fine..." - RFC 1925
On Fri, Aug 26, 2011 at 3:46 PM, Pierre-Alex Guanel <paguanel_at_gmail.com>wrote:
> I am trying to ONLY allow "show ip nat translations" to a user in
> privilege
> 10
>
> Restriction: I can't use role based CLI access to solve this or centralized
> authorization ( i.e TACACS ... )
>
> My solution which works is to take all the shows and put them under priv
> 15
> , except for the "show ip nat translations" :
>
>
> priv exec level 15 show aaa
> priv exec level 15 show aal2
> priv exec level 15 show access-expression
> priv exec level 15 show access-lists
> priv exec level 15 show adjacency
> < ... continue with all the remaining possible shows, then>
> priv exec level 15 show ip nat statistics
> priv exec level 15 show ip nat nvi
> priv exec level 10 show ip nat translations
> priv exec level 10 show ip nat
> priv exec level 10 show ip
>
> Question: is there a quicker way to do this?
>
>
> Note: You probably know this, but the solution which consists in writting
> just one line:
>
> "priv exec level 10 show ip nat translations" does not fulfill the
> requirement because it allows more than is requested.
>
>
> Here is what you get while in privilege 10.
>
>
> R2#sh ip nat ?
> nvi NVI information
> statistics Translation statistics
> translations Translation entries
>
> and others show
>
>
> R2#show ?
> aaa Show AAA values
> aal2 Show commands for AAL2
> access-expression List access expression
> access-lists List access lists
> adjacency Adjacent nodes
> aliases Display alias commands
> alps Alps information
>
> < more output ...>
>
>
> Any workaround?
>
> Thanks
>
> Pierre
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Aug 26 2011 - 16:42:02 ART
This archive was generated by hypermail 2.2.0 : Thu Sep 01 2011 - 06:05:56 ART