I have been asked to setup an ID for our Tripwire application to access our network devices to check our configuration on a regular basis. I was told the ID needed "enable" AND ability to do a 'show run'. I am trying to use ACS 4.2 by creating a group and placing a single user called TRIP in the group. I have tried assigning the group to any privilege other than 15 but none have enable privilege. In ACS Group configuration, I have it set to:
Shell Command Authorization Set
Per Group Command Authorization
Unmatched Cisco IOS commands = Deny
x Command = show
Arguments = permit run
Unlisted arguments = Deny
It's like setting up an ID for a new network administrator and restricting their access until they are ready. Has anyone done this before?