We are unable to deny ASA admin functions to users who have connected via VPN.
In summary, any user that makes a remote VPN connection to our ASA is able to start up ASDM and/or the https java applet regardless of the privileges set. This, in our opinion, is bad.
1) Local authentication used.
2) Privilege set to 0 (zero) - have also tried 1 & 2.
3) User makes remote VPN connection.
4) User able to use ASDM/https to view any/all of the ASA configuration, but is not able to make changes.
Would appreciate advice on how admin functions can be denied, but still permit access to local LAN.