ACS - Per User Command Authorization

Unanswered Question
Apr 24th, 2008


I am trying to limited the commands a user can use.

I would like to limit the user to a singel "Show" command

So I have done the following in the Per User Command Authorization section of the users account

deny unmatched commands

command = show

arguments = permit run interface

permit unlisted arguments ( as I want the use to able to look at any interface)

with this setting the user cannot use any command that does not start with "show".

they can also use the "show run interface" command followed by the inerface name to look at the settings.

That works fine.

But the user can also use any other command that starts with the word "show"

but I don't want them to able to do this.

How can I limit them to only show run int xxxx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
akresnadi Mon, 04/28/2008 - 19:20


I think I have the same issue long time ago and if I don't forget, the solution is to use:

aaa authorization config-commands


This Discussion