Does anyone know if it is possible to use wildcards with a Shell Command Authorization Set?
I am setting up the following types of users:
Cisco Admins (Unrestricted)
Cisco Operators (restricted, but capable of a lot).
What we want to allow the operators to have enough access to fix a problem, (with us walking them through on the phone), but not allow them the following:
Show run, show start... So they cannot get the passwords.
copy ANYTHING into startup-config. We do not want them to be able to write any configs.
There are so many options to copy from: ftp, tftp, run, flash, etc... I wanted to use a wildcard for
copy; deny * startup-config
copy; deny running-config *
copy; deny startup-config *
this will prevent them from overwriting the startup-config, and will prevent them from copying the configs anywhere, where they can get the encrypted passwords & run a utility to crack the passwords.
As of now, I am putting in all possible options into the authorization set, but I would LOVE to use a wildcard.