Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 5: Assigning Administrative Roles - Coggle Diagram
Module 5: Assigning Administrative Roles
5.1 Configure Privilege Levels
Limiting Command Availability
Methods for Providing Infrastructure Access
Privilege Levels
Role-Based CLI
Privilege Levels in Cisco IOS
User EXEC Mode (Level 1)
Lowest level of user privileges.
Allows only user-level commands at the Router> prompt.
Privileged EXEC Mode (Level 15)
Includes all enable-level commands at the Router# prompt.
Total of 16 Privilege Levels:
Level 0
Predefined for user-level access privileges.
Includes five commands: disable, enable, exit, help, and logout.
Level 1
Default level when logging in, with the prompt Router>.
User cannot make changes or view the running configuration.
Levels 2-14
Can be customized for specific user-level privileges.
Commands from lower levels can be moved to higher levels, and vice versa.
Level 15
Reserved for enable mode privileges (enable command).
Allows changing configurations and viewing configuration files
Assigning Commands to a Custom Privilege Level
Use the global configuration mode command:
Router(config)# privilege mode {level level | reset} command
Configuring and Assigning Privilege Levels
Methods for Assigning Passwords to Privilege Levels
To a user:
Command: username name privilege level secret password
To the privilege level:
Command: enable secret level level password
Configuring Privilege Levels
Use the command: privilege exec level level [command].
Example configuration for different levels
Privilege Level 10
Inherits commands from level 5 and adds the reload command.
Privilege Level 5
Inherits commands from level 1 and adds the ping command.
Privilege Level 15
Predefined level with access to all commands, including configuration changes.
Assigning Privilege Levels to Users and Passwords
Privilege Level 10
Can execute ping and reload commands but cannot view the running configuration.
R1> enable 10
Password: <cisco10>
R1# show privilege
Current privilege level is 10
R1# reload
R1# show running-config
% Invalid input detected at '^' marker.
Privilege Level 15
Has full access, including viewing and changing configurations.
R1> enable 15
Password:
R1# show privilege
Current privilege level is 15
R1# show running-config
Privilege Level 5
Can execute the ping command but cannot reload the router.
R1> enable 5
Password: <cisco5>
R1# show privilege
Current privilege level is 5
R1# ping 10.1.1.1
R1# reload
% Unknown command or computer name
Configuration Steps for Different Privilege Levels
Level 5 (SUPPORT User Configuration)
Command: privilege exec level 5 ping
Password configuration: enable algorithm-type scrypt secret level 5 cisco5
User creation: username SUPPORT privilege 5 algorithm-type scrypt secret cisco5
Level 10 (JR-ADMIN User Configuration)
Command: privilege exec level 10 reload
Password configuration: enable algorithm-type scrypt secret level 10 cisco10
User creation: username JR-ADMIN privilege 10 algorithm-type scrypt secret cisco10
Level 15 (ADMIN User Configuration)
Password configuration: enable algorithm-type scrypt secret level 15 cisco123
User creation: username ADMIN privilege 15 algorithm-type scrypt secret cisco123
Examples of Privilege Levels in Action
Assign a specific user to a privilege level:
Use the username command.
Assign a specific EXEC mode password to a privilege level:
Use the enable secret command.
Limitations of Privilege Levels
There is no access control to specific interfaces, ports, logical interfaces, and slots on a router.
Commands available at lower privilege levels are always executable at higher levels.
Commands specifically set at a higher privilege level are not available for lower privileged users.
Assigning a command with multiple keywords allows access to all commands that use those keywords. For example, allowing access to show ip route allows the user access to all show and show ip commands.
5.2 Configure Role-Based CLI
Access
Security
Role-based CLI access enhances the security of the device by defining the set of CLI commands that are accessible by a specific user.
Availability
Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.
Operational Efficiency
The router appears to be less complex, and commands are easier to identify when using the help feature on the device.
Views
Root View
To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views.
CLI View
A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and no higher or lower views. Each view must be assigned all commands associated with that view. A view does not inherit commands from any other view. Additionally, the same commands can be used in multiple views.
Superview
A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated with that one CLI view.
A single CLI view can be shared within multiple superviews.
Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview.
Each superview has a password that is used to switch between superviews or from a CLI view to a superview.
Deleting a superview does not delete the associated CLI views. The CLI views remain available to be assigned to another superview.
5.2.6 Configure Role-Based CLI Superviews
The steps to configure a superview are essentially the same as configuring a CLI view, except that the view view-name command is used to assign commands to the superview. The administrator must be in root view to configure a superview. To confirm that root view is being used, use either the enable view or enable view root command. When prompted, enter the secret password.
There are four steps to create and manage a superview.
Create a view using the parser view view-name superview command and enter superview configuration mode. Appending the keyword superview to parser view creates a superview and enters configuration mode.
Assign a secret password to the view using the secret password command. This sets a password to protect access to the superview. The password must be created immediately after creating a view; otherwise an error message will appear.
Assign an existing view using the view view-name command in view configuration mode. This adds a CLI view to superview. Multiple views can be added. Views may be shared between superviews.
Exit superview configuration mode by typing the exit command.
https://www.youtube.com/watch?v=K-8SC8trNOU
