[tac_plus] Re: Different auth per device per user
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Wed Nov 4 20:34:09 UTC 2009
> Short description:
> I have a need to give a select bunch of users one level of access on some
> devices and a much more restrictive access everywhere else. How can I do this?
>
> Longer version:
> My users are divided into 4 roles (1-4) in increasing level of access, the
> access they get applies to any device they can reach. The network is broken up
> into core routers, non-core routers and customer hosting switches.
>
> There's a team which configures and installs the customer switches, I want
> them to be able configure anything on those devices (role 4 in my setup) but
> to have role 2 on every other device.
>
> I can't quite seem to find a clean way to configure this. The closest I can
> get is an acl and group just for switches and exclude them from everywhere
> else.
>
> In an ideal world, this would suit me fine (I know it doesn't work):
>
> acl = hosting_acl { <list> }
> group = hosting_group {
> acl = hosting_acl
> <rules>
> }
> group = role_2 { <rules> }
>
> user = hosting_engineer {
> group = hosting_group
> group = role_2
> }
Maybe this helps you:
http://www.shrubbery.net/pipermail/tac_plus/2007-August/000125.html
Regards
Gabor
More information about the tac_plus
mailing list