create user who can not configure using ASDM - ASA5520

julxu · ‎10-26-2008

Greeting

Could anyone give me a help on setup an access for read-only user?

I have ASA5520 with multi-contents and tried to configure a read-only user, who can use ASDM to monitor the box, check out all the contents rules/performance, but can not do configuration.

However, it is not successful. the problem is:

1. The user can only see one content, can not see the rest

2. The user can use configure butter.

what I did is:

username userRW password xxxx encrypted privilege 15

username readonlyuser password yyyy encrypted privilege 5

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authorization command LOCAL

And these commands are configured on the content who has management interface. Other contents, who have no management interface, have not been configured username and aaa.

Question:

1. Above configuration is enough to service the purpose?

2. So I have to configure username/aaa on all the contents?

Any comments will be appreciated

Thanks in advance

smahbub · ‎10-31-2008

If you turn on command authorization using the local database, then the security appliance refers to the user privilege level to determine what commands are available. Otherwise, the privilege level is not generally used. By default, all commands are either privilege level 0 or level 15. ASDM allows you to enable three predefined privilege levels, with commands assigned to level 15 (Admin), level 5 (Read Only), and level 3 (Monitor Only). If you use the predefined levels, then assign users to one of these three privilege levels.So you can use privilege level 5 for Read-only.