Re: Read only access to PDM

m-raft · ‎08-29-2002

I am running PIX 6.2 and want to create a username that will have read only access to PIX configuration both through command line and PDM. Has anyone done this yet and if so can you let me know what is required. I have tried creating a user with priv 2 and assinged show block, sh curpriv, sh pdm, sh running-config to the priv level 2. This allows me to open pdm with the user account but I only have access to the Monitoring Tab. When I try to access another tab I get "You are not authorized to view any other tabs." Any ideas?????

thanks

mike

pgolding · ‎09-02-2002

try making "write term" priv level 2 also. this really is functioning as designed though.

m-raft · ‎09-05-2002

Tried that and it didn't work either, same result. If this is functioning as designed then is there a way to set up PDM in a read only manner. I need to have read only access through PDM so some users can review the config but not change it.

srsrinivasan · ‎09-16-2002

I hope you are Using latest PDM release.

1. Connect to PDM.

2. Go to System Properties.

3. Go to User Accounts.

4. Create user with Privilege Level as 5 or Read-Only.

5. Go to Authentication/Authorization Screen.

6. Check the Enable Command Authorization as LOCAL

7. Apply to PIX.

Note:

When the dialog box pops do you want set the priv for the following commands

Please press Yes.

This is sends the pre-defined privilges for commands for PDM profile ex: Read-only, Admin,Monitor.

Also please check that you do not set any privilege Mannually to any commands. Use the default config.

If you anyother problem please contact me.

m-raft · ‎09-17-2002

Too simple. Thanks for the reply. That worked exactly as you defined. One question though. When I initially created the new user I left the previously defined user and authorizations in my config and it didn't work. Does this mean that I can't have multiple user accounts with other defined authorizations for this to work?

Thanks again,

mike

srsrinivasan · ‎09-17-2002

Sorry I could not get want you want. Please let me know whether I am correct.

1. You can Multiple users with diffferent priv levels. ( ex: Read Only, Montior Only and Admin).

2. You can have only LOCAL or TACACS+ Command Authorization .

3. If you change privilege of any command other the Predefined User Account priv commands you will be out of PDM Profiling.

ex: If change the privilege of a single command say show arp from Default value 15 to 5 ( Read-only)

Now when you connect to PDM, If you see you it will state user privilege in lower bottom of PDM as 5 insetad of Read-only.

So Make sure if you customise the privileges of Command. You should have all necessary commands ( ex: show pdm, show blocks, show curpriv... ) all set to priv same or less than the privilege level of the user you logged in.

Otherwise you will end up in misconfiguration.

Finally, Currenttly PDM supports Three Users only. ( If it is in PDM profiling)

1. Admin ( priv 15) Can view and Modify any PDM TABS and commands ).

2. Read-Only ( priv 5) he can view all tabs in PDM but cannot Modify.

3.Monitor-Only ( priv 3) he can only do Montioring Screen.

TIPS:

When you find that you have changed the privilege of Individual Command

You can restore PDM profiling by going to Authentication/Authorization Screen and Click on Restore PDM user Account Privileges. It will set you back to the three users config mode.

Please send me email if you more questions.