User Account permissions in ASDM

Answered Question
Jan 4th, 2010

Can you configure user account permissions that apply to ASDM interface from the CLI? For instance, I need to gove someone red only access to the ASDM so they can view but cannot make changes to the config.

Can this be done using the CLI?

Mario

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 7 years 2 weeks ago

You can't get more granular than that.

ASDM recognizes 3 types of user priv, 2, 5 and 15 (monitor, read-only, admin respecitvely).

You can move commands to different levels but that will correspond only to CLI. ASDM will recognize only the levels above for the functions/commands it does. If you move commands up and down ASDM will try to do its best and when it tries to apply a command that has been arbitrarily moved it will throw an error.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Mon, 01/04/2010 - 09:22

Yes, that will be used of priv level 5.

ASDM helps you configure it. If you go to Device MAnagement > AAA Access > Authorization ? Set ASDM Defined User roles then you can assign priv 5 to a user and that user will be able to only read in ASDM.

I hope it helps.

PK

marioderosa2008 Mon, 01/04/2010 - 09:28

thanks for the quick response.

do you know if you can configure this from the CLI rather than from the ASDM?

and do you know if those permissions apply to the user both when logged in to the ASDM and the CLI???

Mario

Panos Kampanakis Mon, 01/04/2010 - 10:01

Yes, the apply for ASDM and CLI. Users of priv 5 will be able to run only the commands that are of priv 5.

The commands ASDM will push for the priv levels are

      privilege show level 3 mode configure command aaa
      privilege show level 3 mode exec command aaa
      privilege clear level 3 mode configure command aaa-server
      privilege show level 3 mode configure command aaa-server
      privilege clear level 3 mode exec command aaa-server
      privilege show level 3 mode exec command aaa-server
      privilege show level 3 mode configure command access-list
      privilege show level 3 mode exec command access-list
      privilege clear level 3 mode configure command arp
      privilege show level 3 mode configure command arp
      privilege clear level 3 mode exec command arp
      privilege show level 3 mode exec command arp
      privilege show level 5 mode configure command asdm
      privilege show level 3 mode exec command asdm
      privilege show level 3 mode exec command asp
      privilege show level 3 mode exec command blocks
      privilege show level 3 mode configure command clock
      privilege show level 3 mode exec command clock
      privilege show level 3 mode exec command compression
      privilege show level 3 mode exec command cpu
      privilege clear level 3 mode configure command crypto
      privilege show level 3 mode configure command crypto
      privilege clear level 3 mode exec command crypto
      privilege show level 3 mode exec command crypto
      privilege show level 3 mode configure command dhcpd
      privilege show level 3 mode exec command dhcpd
      privilege clear level 3 mode exec command dns-hosts
      privilege show level 3 mode exec command dns-hosts
      privilege show level 3 mode exec command eigrp
      privilege cmd level 3 mode configure command failover
      privilege show level 3 mode configure command failover
      privilege cmd level 3 mode exec command failover
      privilege show level 3 mode exec command failover
      privilege show level 3 mode exec command firewall
      privilege show level 5 mode exec command import
      privilege show level 3 mode configure command interface
      privilege show level 3 mode exec command interface
      privilege show level 3 mode configure command ip
      privilege show level 3 mode exec command ip
      privilege show level 3 mode exec command ipv6
      privilege clear level 3 mode configure command logging
      privilege show level 3 mode configure command logging
      privilege clear level 3 mode exec command logging
      privilege cmd level 3 mode exec command logging
      privilege show level 3 mode exec command logging
      privilege show level 3 mode exec command mode
      privilege show level 3 mode exec command module
      privilege show level 3 mode exec command ospf
      privilege cmd level 3 mode exec command perfmon
      privilege cmd level 3 mode exec command ping
      privilege show level 5 mode configure command privilege
      privilege show level 3 mode exec command reload
      privilege show level 3 mode configure command route
      privilege show level 3 mode exec command route
      privilege show level 5 mode exec command running-config
      privilege show level 3 mode configure command ssh
      privilege show level 3 mode exec command ssh
      privilege show level 3 mode exec command uauth
      privilege show level 3 mode exec command vlan
      privilege show level 3 mode exec command vpn
      privilege show level 3 mode exec command vpn-sessiondb
      privilege show level 3 mode exec command vpnclient
      privilege show level 3 mode exec command wccp
      privilege show level 3 mode exec command webvpn
      privilege cmd level 3 mode exec command who

I hope it helps.

PK

jimmyc_2 Fri, 06/04/2010 - 13:50

Hi PK

I tried seeting user Bob to level 5, both via ASDM and via command line.  I confirmed it via looking at username.  but when i login as Bob, I can still change descriptions on the FW rule set.  any thoughts?  thanks.   jimmyc

sureshkrishnan Mon, 01/04/2010 - 10:28

Hi,

You could also try this.

aaa authentication http console LOCAL

(Config)# username test password test

(Config)# username test attribute

(Config-username)# service-type nas-prompt

Regards,

Suresh

marioderosa2008 Mon, 01/04/2010 - 13:55

Thanks,

i'm getting there now. I have a strange issue where if i set a user a privilege level of 1, they can access the configuration tab of the ASDM but all configuration is blank.

no firewall rules, network objects, vpn profiles. NOTHING.

Then the moment i change the privilege level to 2 or higher, the user has no access to the config tab at all. I'd like to raise the privilege level for accessing the Configuration tab so that i can configure more granular access.

Do you know how to do this? Is it one of the privilege commands posted previously?

Mario

Correct Answer
Panos Kampanakis Mon, 01/04/2010 - 14:01

You can't get more granular than that.

ASDM recognizes 3 types of user priv, 2, 5 and 15 (monitor, read-only, admin respecitvely).

You can move commands to different levels but that will correspond only to CLI. ASDM will recognize only the levels above for the functions/commands it does. If you move commands up and down ASDM will try to do its best and when it tries to apply a command that has been arbitrarily moved it will throw an error.

PK

Actions

This Discussion