Command authorization sets assignment – Cisco 3.3 User Manual
Page 182
Chapter 5 Shared Profile Components
Command Authorization Sets
5-28
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Cisco Secure ACS has three sequential stages of command authorization filtering.
Each command authorization request is evaluated in the following order:
1.
Command Match: Cisco Secure ACS determines whether the command
being processed matches a command listed in the command authorization set.
If no matching command is found, command authorization is determined by
the Unmatched Commands setting, which is either permit or deny. Otherwise,
if the command is matched, evaluation continues.
2.
Argument Match: Cisco Secure ACS determines whether the command
arguments presented match the command arguments listed in the command
authorization set.
–
If any argument is unmatched, command authorization is determined by
whether the Permit Unmatched Args option is enabled. If unmatched
arguments are permitted, the command is authorized and evaluation ends;
otherwise, the command is not authorized and evaluation ends.
–
If all arguments are matched, evaluation continues.
3.
Argument Policy: Having determined that the arguments in the command
being evaluated match the arguments listed in the command authorization set,
Cisco Secure ACS determines whether each command argument is explicitly
permitted. If all arguments are explicitly permitted, Cisco Secure ACS grants
command authorization. If any arguments is not permitted, Cisco Secure ACS
denies command authorization.
Command Authorization Sets Assignment
For information on assigning command authorization sets, see the following
procedures:
•
Shell Command Authorization Sets—See either of the following:
–
Configuring a Shell Command Authorization Set for a User Group,
page 6-33
–
Configuring a Shell Command Authorization Set for a User, page 7-26
•
PIX Command Authorization Sets—See either of the following:
–
Configuring a PIX Command Authorization Set for a User Group,
page 6-35
–
Configuring a PIX Command Authorization Set for a User, page 7-29