[tac_plus] Re: Different auth per device per user

Schmidt, Daniel dan.schmidt at uplinkdata.com
Wed Nov 4 21:22:12 UTC 2009


Were you ever able to fix the problems I found in that patch?

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kiss Gabor (Bitman)
Sent: Wednesday, November 04, 2009 1:34 PM
To: Alan McKinnon
Cc: tac_plus at shrubbery.net
Subject: [tac_plus] Re: Different auth per device per user

> Short description:
> I have a need to give a select bunch of users one level of access on
some 
> devices and a much more restrictive access everywhere else. How can I
do this?
> 
> Longer version:
> My users are divided into 4 roles (1-4) in increasing level of access,
the 
> access they get applies to any device they can reach. The network is
broken up 
> into core routers, non-core routers and customer hosting switches.
> 
> There's a team which configures and installs the customer switches, I
want 
> them to be able configure anything on those devices (role 4 in my
setup) but 
> to have role 2 on every other device.
> 
> I can't quite seem to find a clean way to configure this. The closest
I can 
> get is an acl and group just for switches and exclude them from
everywhere 
> else.
> 
> In an ideal world, this would suit me fine (I know it doesn't work):
> 
> acl = hosting_acl { <list> }
> group = hosting_group { 
>   acl = hosting_acl
>   <rules>
> }
> group = role_2 { <rules> }
> 
> user = hosting_engineer {
>   group = hosting_group
>   group = role_2
> }

Maybe this helps you:
http://www.shrubbery.net/pipermail/tac_plus/2007-August/000125.html

Regards

Gabor
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list