Hi,
Using an ASA 8.2(3) I'm trying to use local command authorization to restrict users in a multiple context, multi-tenant firewall from executing commands which could negatively impact other contexts. Ideally I will not use radius/tacacs for this. I want context administrators to use ASDM and SSH. For the ASDM to function correctly it looks like it needs to be able to execute lots of different 'show' commands. I also want to give context administrators sufficient commands to be able to carry out common administrative functions.
So my first shot at config looks like this:
username test password test privilege 5
aaa authorization command LOCAL
aaa authorization exec LOCAL
!
privilege cmd level 5 mode configure command interface
privilege cmd level 5 mode configure command access-list
privilege cmd level 5 mode configure command static
privilege cmd level 5 mode configure command access-group
privilege cmd level 5 mode interface command ip
privilege cmd level 5 mode subinterface command ip
privilege cmd level 5 command show
The initial problem I have is that 'privilege cmd level 5 command show' doesn't work. I need to specify each variance of show, for example:
privilege show level 5 mode exec command running-config
This is going to result in unecessarily bloated configurations, does anyone know of a more elegant way to permit ALL show commands?
Many thanks in advance!
George