To view the list of the local users and their respective privileges (granted or revoked), you can use:
show user
GRANTING AND REVOKING PRIVILEGES
An Administrative User may give Login Users the possibility to execute certain commands generally
not allowed. In the same way, the Administrative User may revoke to an Administrative the
possibility to execute commands which are normally allowed.
grant-to <username> <command prefix>
executed by an Administrative User gives the user <username> (Login User), the possibility to
execute commands which begin with the specified prefix.
revoke-to <username> <command prefix>
executed by an Administrative User forbids the user <username> (Login User)) the possibility of
executing commands beginning with the specified prefix.
For example, the users "operator" and "technician" are respectively Login-User and Administrative-
User. "Operator" can normally check the configuration but cannot change it, while "technician" can
make any modification without restrictions. The commands:
grant-to operator set eth1
revoke-to technician set isdn dialer ippp1
allow "operator" to configure the Ethernet port and denies "technician" the right to configure the
ISDN dialer.
In order to eliminate a privilege or a revocation the following commands are used:
no-grant-to <username> <command prefix>
no-revoke-to <username> <command prefix>
The <command prefix> string is the initial part of any configuration command.
It is necessary to pay attention when only one Administrative User exists, for example root. The
commands:
revoke-to root set
revoke-to root no-revoke
definitively deny root the right to execute any kind of configuration command.
PRIVILEGE LEVELS AND ENABLE COMMAND
Besides Administrative and Login users, when the access to the router is governed by a Tacacs+ (or
RADIUS) server, it is possible to manage different levels of privilege in order to establish which
commands may be executed.
It is possible to establish up to 15 levels of privilege, numbered from 1 to 4. The higher the level,
the more the available commands. It also exists the 15 level which corresponds to a condition of
superuser, i.e. a user without any kind of restriction on commands (similar to Administrative
user described in the previous section).
To Next Page
Loading...
Need help?
General
