Hi,

Using an ASA 8.2(3) I'm trying to use local command authorization to restrict users in a multiple context, multi-tenant firewall from executing commands which could negatively impact other contexts.  Ideally I will not use radius/tacacs for this.  I want context administrators to use ASDM and SSH.  For the ASDM to function correctly it looks like it needs to be able to execute lots of different 'show' commands.  I also want to give context administrators sufficient commands to be able to carry out common administrative functions.

So my first shot at config looks like this:

username test password test privilege 5
aaa authorization command LOCAL
aaa authorization exec LOCAL

!

privilege cmd level 5 mode configure command interface
privilege cmd level 5 mode configure command access-list
privilege cmd level 5 mode configure command static
privilege cmd level 5 mode configure command access-group
privilege cmd level 5 mode interface command ip
privilege cmd level 5 mode subinterface command ip
privilege cmd level 5 command show

The initial problem I have is that 'privilege cmd level 5 command show' doesn't work.  I need to specify each variance of show, for example:

privilege show level 5 mode exec command running-config

This is going to result in unecessarily bloated configurations, does anyone know of a more elegant way to permit ALL show commands?

Many thanks in advance!

George