Cisco 3.3 User Manual
Page 181
5-27
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 5 Shared Profile Components
Command Authorization Sets
To offer fine-grained control of device-hosted, administrative Telnet sessions, a
network device using TACACS+ can request authorization for each command line
before its execution. You can define a set of commands that are either permitted
or denied for execution by a particular user on a given device. Cisco Secure ACS
has further enhanced this capability as follows:
•
Reusable Named Command Authorization Sets—Without directly citing
any user or user group, you can create a named set of command
authorizations. You can define several command authorization sets, each
delineating different access profiles. For example, a “Help desk” command
authorization set could permit access to high level browsing commands, such
as “show run”, and deny any configuration commands. An “All network
engineers” command authorization set could contain a limited list of
permitted commands for any network engineer in the enterprise. A “Local
network engineers” command authorization set could permit all commands,
including IP address configuration.
•
Fine Configuration Granularity—You can create associations between
named command authorization sets and NDGs. Thus, you can define different
access profiles for users depending on which network devices they access.
You can associate the same named command authorization set with more than
one NDG and use it for more than one user group. Cisco Secure ACS enforces
data integrity. Named command authorization sets are kept in the
CiscoSecure user database. You can use the Cisco Secure ACS Backup and
Restore features to back up and restore them. You can also replicate command
authorization sets to secondary Cisco Secure ACSes along with other
configuration data.
For command authorization set types that support Cisco device-management
applications, the benefits of using command authorization sets are similar. You
can enforce authorization of various privileges in a device-management
application by applying command authorization sets to Cisco Secure ACS groups
that contain users of the device-management application. The Cisco Secure ACS
groups can correspond to different roles within the device-management
application and you can apply different command authorization sets to each
group, as applicable.