[tac_plus] Per Device Command Authorization
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Thu Nov 18 19:35:32 UTC 2010
> In our case we'd like to allow certain users read only type access on most
> devices, but give more access on certain devices to do things like configure
> static NAT, etc. Firewall administrators need more permissions on the
> firewalls, but not on backbone routers as another example.
>
> I don't see any way to do this with the stock configuration, but I may be
> missing something.
>
> It looks like it might be possible with the multiple groups patch here
> (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely clear
> on that either.
I'm afraid also that it can't solve your problem.
ACLs are for exec authorization only, not for commands.
However I found a quick a dirty solution:
Firewall admins might have two accounts on some hosts.
E.g. user 'bill' may login into all routers but has few permissions.
Meanwhile 'bill_fw' has more rights but can log in on very few NASs.
Regards
Gabor
More information about the tac_plus
mailing list