[tac_plus] Re: Different privs for different devices?

[Alan McKinnon]

On Thursday 01 July 2010 00:08:03 Paul Floyd wrote:
> > A sensible approach that cause you more work than you think  proper but
> > leave you sane is to maintain two seperate group, acl and rights 
> > definitions, even if they overlap to greater or lesser degree.
> 
> Hmm... OK.  Can you give me some insight as to how to do that?  I'm OK
> creating separate groups and ACLs, but how do I make a single user a
> member of both groups?  Or are you saying I also have to create two
> seperate userids for every user?

Sorry, I slightly mis-read what you are trying to achieve. It's the 
combination of priviledge and acl that got me. having re-read your post, I 
can't think off-hand of an easy solution in the tac_plus config itself, but 
your stumbling block doesn't change. And networking kit isn't my expertise 
either - I copy the allowed command list my Cisco guys give me verbatim and 
leave them to work magic on the devices itself.

If no-one else comes up with a bright idea, here's some out-the box 
approaches:

- call an external script as John suggests in my other reply

- modify the sources yourself to suit your needs

- give everyone two login ids. This is horrible though - if your helpdesk 
staff are anything like me they will be completely unable to map privilege 
levels to devices in their head and will constantly get it wrong

- Run two tac_plus servers (virtual machines are cool for this). Configure 
your devices to use the appropriate one. They will have the same list of users 
and two groups each - limited and full. A specific user belongs to only one 
group and you can adjust the rights of each group as you wish. The need for 
acls falls away as the acl has now effectively moved onto the device



-- 
alan dot mckinnon at gmail dot com