Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

User-Role for editing access-lists in ASDM

Hi

We use a FWSM,  version 4.0(6) with ASDM, version 6.1(5)F

I need to build a userrole for a user who can just configure existing access-lists in ASDM. I decided to use privilege level 7 for that role.

First I created the ASDM defines user roles (Admin (15), read only (5) & monitor only (3)).

Then I tried to give a level 7 user access to the configuration of access-lists:

privilege cmd level 7 mode configure command configure

privilege cmd level 7 mode configure command access-list

But now, if I log in with ASDM as level 7 user I can see the access-lists (and everything else) but I'm not able to configure them.
What did I forget?
Thanks
Patrik
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: User-Role for editing access-lists in ASDM

With ASDM I am afraid not, you could do it with CLI and level 7 that you tried to do there. But ASDM will not honor it.

What you could do to hack it is to create a new level 15 user and do command authorization for that user. ASDM will let him do whatever he wants, but when he tries to push the commands the ASA will try to authorize these commands and fail all except for the ACL ones.

I hope it makes sense.

PK

6 REPLIES
Cisco Employee

Re: User-Role for editing access-lists in ASDM

ASDM will not understand level different than 3 ,5 and 15.

Even though it can be more granular for CLI command authorization, ASDM does not know about these user priv levels, so it will not enforce it.

PK

New Member

Re: User-Role for editing access-lists in ASDM

PK,

Thanks for your answer. It's interresting to know that ASDM is just aware about levels 3, 5 & 15.

Now I decided to change the level 5 to give access to the access-list configuration.

privilege cmd level 5 mode configure command configure

privilege cmd level 5 mode configure command access-list

But even theese settings don't affect anything. A user 5 is still not able to configure access-lists in ASDM.

Does this mean that I cannot change the privileges for ASDM at all?

Thanks again

Patrik

Cisco Employee

Re: User-Role for editing access-lists in ASDM

If you go into ASDM and go under AAA Authentication you will see a button that says something like "Set ADM privelege levels". Using that will move the commands to the levels that you need for ASDM to enforce it.

Note that ASDM 6.0 had a couple of defects related to this. The latest 6.2 versions work fine.

I hope it helps.

PK

New Member

Re: User-Role for editing access-lists in ASDM

Unfortunately this doesn't help.

I already set the ASDM Levels (which are 3,5, & 15). But level 3 & 5 are not able to configure access-lists in ASDM, and I cannot give level 15 to our sysadmins.

I use ASDM 6.2(5) with my ASAs 8.2(2).

Question:

Is it possible to configure the privileges that someone is only able to configure access-lists and nothing else?

If yes, how can that be done?

Thanks

Patrik

Cisco Employee

Re: User-Role for editing access-lists in ASDM

With ASDM I am afraid not, you could do it with CLI and level 7 that you tried to do there. But ASDM will not honor it.

What you could do to hack it is to create a new level 15 user and do command authorization for that user. ASDM will let him do whatever he wants, but when he tries to push the commands the ASA will try to authorize these commands and fail all except for the ACL ones.

I hope it makes sense.

PK

New Member

Re: User-Role for editing access-lists in ASDM

PK,

Thanks for your clarification.

Patrik

857
Views
0
Helpful
6
Replies