[tac_plus] Different auth per device per user

[Alan McKinnon]

Hi,

Using 4.0.4.18 on FreeBSD.

Short description:
I have a need to give a select bunch of users one level of access on some 
devices and a much more restrictive access everywhere else. How can I do this?

Longer version:
My users are divided into 4 roles (1-4) in increasing level of access, the 
access they get applies to any device they can reach. The network is broken up 
into core routers, non-core routers and customer hosting switches.

There's a team which configures and installs the customer switches, I want 
them to be able configure anything on those devices (role 4 in my setup) but 
to have role 2 on every other device.

I can't quite seem to find a clean way to configure this. The closest I can 
get is an acl and group just for switches and exclude them from everywhere 
else.

In an ideal world, this would suit me fine (I know it doesn't work):

acl = hosting_acl { <list> }
group = hosting_group { 
  acl = hosting_acl
  <rules>
}
group = role_2 { <rules> }

user = hosting_engineer {
  group = hosting_group
  group = role_2
}

With the first group having precedence and the second being a de-facto 
default. I'm OK with setting up the various rules so that conflicts don't 
happen (or fixing them when they do). I've seen patches around that allow 
multiple groups, but was wondering if there's a clean alternative in the 
shipped code.

Another alternative is enableacl which is somewhat limiting, but I can live 
with that (aka I can force the user's manager to live with that).

-- 
alan dot mckinnon at gmail dot com