Lab Minutes Forum
Technical Discussion => Security => Topic started by: abhisheksha on December 14, 2014, 10:38:47 PM
-
Hi,
I had a few queries on Cisco ACS:
1. Creating different group for device. Same user may have different access right to different group. We have two group of device – group 1 device and group 2 device. Same user may have read/write access to the group 2 device but only read access to group 1 device.\
2. When the write privilege is grant to particular user, can we restrict write privilege is only effective within certain time window without affect read access?
3. When we grant write privilege to particular user, can we restrict he/she can only access particular device (or few device)?
Can you please tell me as to how would this be possible?
Thank you!
-
Assuming ACS 5.x, this should be possible. What device or privilege you want to grant to which user can be defined under the authorization policy. Just make sure you put the more specific rules at the top. For example,
User Group A + Device Group A + Time A = Read/Write
User Group A + Device Group A + Time B = Read Only
User Group A + Device Group B + Time All = Read Only
User Group B + Device Group C + Time All = Read Only
etc.
and Read/Write and Read Only can be controller using Shell Privilege Level or Command Authorization (TACACS required)
-
Thank you. I have figured out how to carry out the first two cases successfully.
Can you please provide detailed steps as to how will I give write priveleges on a per device level?
Thanks!
-
While you can do it per device, most likely you want to do it by a group of device just to keep your authorization rule short. You can use Device Filter to arbitrarily group devices instead of using the Device Type/Location. To give write privileges, you can use combination of Privilege 15 and Command Authorization that allows 'configuration terminal' as opposed to read-only where you would block it.