[tac_plus] Granular restrictions of the "show" commands

Brandon Phelps bphelps at gls.com
Mon Mar 5 18:46:51 UTC 2012


Have you added the appropriate aaa authorization lines to your device?
If these lines were working properly then the user should not be able to
perform any action at all since the default is to deny everything
(unless you have a default service = permit line and neglected to
mention it).

On 03/05/2012 11:37 AM, David Crane wrote:
> Hi,
> 
> I'm trying to restrict the running of show commands on a more granular
> level. I just can't figure out how to do it.
> 
> What I want is a user to be able to perform
> 
> show run interface fa0/1 (For example)
> 
> but not perform a
> 
> 
> show run
> 
> 
> or
> 
> 
> show run interface vlan
> 
> 
> relevant tac config is
> 
> cmd = "show" {
> permit "/^running-config interface/"
> }
> 
> This appears to be just allowing all show commands. I've tried different
> expressions after googling several different configs, but everything I try
> appear to just deny all show commands, or allows them all.
> 
> 
> I believe this is possible to do. I just need to know what I'm missing and
> how this should be formatted.
> 
> 
> Much appreciated.
> 
> 
> Dave.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120305/444609ac/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list