Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Configuration for authorization


Here is my ACS setup

1. we two NDG groups under network configuration tab,

one group is for common network devices like routers and switches,

and the other group we have special devices like VPN router & internet routers.

and coming to user details:

2. we have two different types of user groups

one is having fullaccess to both the NDG groups

other group is having readonly access to both NDG groups

Now my problem is i have to provide the read/write access to some of the users

who are in read only access group that to only for special devices NDG group not the common network NDG group.

i mean he has to get full access to one NDG and read only access to other.

Can some one help me in this..


Re: Configuration for authorization

You need to set up command authorization using "Assign a Shell Command Authorization Set on a per Network Device Group Basis "



Do rate helpful posts

New Member

Re: Configuration for authorization

What about setting up a 3rd group called power users (or what ever you want to call it), then allow the 'special' users full access to both devices groups but limit their command access to the read only group. Using command shell auth, as suggested by JG.

You can actually setup some ACS groups where read only users get level 15 access to devices but they can only perform 'show' related commands even thou they have enable access. You have the ability to do a 'deny' against 'conf t' attempts

Also you can user Network Device restrictions if you dont want them to access particular devices at all

CreatePlease to create content