Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 5: 5.3 Assigning Administrative Roles - Coggle Diagram
Module 5: 5.3 Assigning Administrative Roles
5.1 Configure Privilege Levels
5.1.1 Limiting Command Availability
Large organizations have many varied job functions within an IT department. Not all job functions should have the same level of access to the infrastructure devices. Cisco IOS software has two methods of providing infrastructure access: privilege level and role-based CLI. Both methods help determine who should be allowed to connect to the device and what that person should be able to do with it. Role-based CLI access provides more granularity and control.
5.1.2 Configuring and Assigning Privilege Levels
To configure a privilege level with specific commands, use the privilege exec level level [command]. The example shows examples for three different privilege levels.
Use the username command to assign a privilege level to a specific user. Use the enable secret command to assign a privilege level to a specific EXEC mode password. For example, the SUPPORT user is assigned privilege level 5 with the password cisco5. However, as shown in the example below, any user can access privilege level 5 if that user knows that the enable secret password is cisco5. The example also demonstrates that privilege level 5 cannot reload the router.
5.2 Configure Role-Based CLI
5.2.1 Role-Based CLI Access
in an effort to provide more flexibility than privilege levels allow, Cisco introduced the role-based CLI access feature in Cisco IOS Release 12.3(11)T.
SECURITY
Role-based CLI access enhances the security of the device by defining the set of CLI commands that are accessible by a specific user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router.
AVAILABILITY
Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.
Operational Efficiency
Users only see the CLI commands applicable to the ports and CLI to which they have access. Therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device.
5.2.2 Role-Based Views
Root View
To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges.
CLI VIEW
A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and no higher or lower views.
Superview
A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible.
5.2.3 Configure Role-Based Views
Before an administrator can create a view, AAA must be enabled using the aaa new-model command. To configure and edit views, an administrator must log in as the root view using the enable view privileged EXEC command.
STEP 1 Enable AAA with the aaa new-model global configuration mode command. Exit and enter the root view with the enable view command.
Step 2. Create a view using the parser view view-name global configuration mode command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total.
Step 3. Assign a secret password to the view using the secret password view configuration mode command.
