You have a couple of choices. If this admin belongs to a group and they have similar profiles you could create a group with an IP based NAR allowing access to only the named NDGs.
or, if its a special case you can assign NARs directly to the admin user in question.
User cannot be in several groups. However using NDG->NAR and NDG->DCS mappings you can make users of a group get different authorisations based on the devices being managed, eg NDG1->full access, NDG2->read only
NARs can contain NDGs, NAFs and individual devices.
I've assigned a user access to specific NDG with full rights.When i use his credentials to log into another switch that is not part of his NDG allow list,i'm puzzled.
Now i can't get into enable mode (that's the intended purpose) but i can run show ip/trace/ping w/o going to enable mode. It seems that this user has been assigned the Read-only shell command authorization set for all other switches.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...