Role-Based CLI Access
In an effort to provide more flexibility than privilege levels allow, Cisco introduced the role-based CLI access feature in Cisco IOS Release 12.3(11)T. This feature provides finer, more granular access by controlling which commands are available to specific roles. Role-based CLI access enables the network administrator to create different views of router configurations for different users. Each view defines the CLI commands that each user can access.
Security
Role-based CLI access enhances the security of the device by defining the set of CLI commands accessible by a specific user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.
Availability
Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.
Operational Efficiency
Users only see the CLI commands applicable to the ports and CLI to which they have access. Therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device.
Role-Based Views
Role-based CLI provides three types of views that dictate which commands are available:
Root View
To configure any view for the system, the administrator must be in root view.
Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views.
CLI View
A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and no higher or lower views. Each view must be assigned all commands associated with that view. A view does not inherit commands from any other view. Additionally, the same commands can be used in multiple views.
Superview
A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated with that one CLI view.
Superviews have several specific characteristics:
- A single CLI view can be shared within multiple superviews.
- Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
- Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview.
- Each superview has a password that is used to switch between superviews or from a CLI view to a superview.
- Deleting a superview does not delete the associated CLI views. The CLI views remain available to be assigned to another superview.
Configuring Role-Based Views
Before an administrator can create a view, AAA must be enabled using the aaa new-model
command. To configure and edit views, an administrator must log in as the root view, to log in as the root view, first:
create a privilege password,
then:
enable view view_name
- view: This parameter enters root view if no view-name is specified.
- view_name: optional, this parameter can be used to switch from one CLI view to another CLI view. If not specified, root is assumed.
There are five steps to create and manage a specific view:
Step 1. Enable AAA with the aaa new-model global configuration mode command. Exit and enter the root view with the enable view command.
Step 2. Create a view using the parser view view-name
global configuration mode command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total.
Step 3. Assign a secret password to the view using the secret encrypted-password
view configuration mode command.
secret encrypted-password
- Sets a password to protect access to the view.
- Password must be created immediately after creating view, other wise, an error message will appear.
Step 4. Assign commands to the selected view using the commands parser-mode
command in view configuration mode.
commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
- Commands: adds commands or interfaces to a view
- parser-mode: the mode in which the specified command exists: for example, EXEC mode.
- Include: adds a command or an interface to the view and allows the same command or interface to be added to other views
- include-exclusive: adds a command or an interface to the view and excludes the same command or interface from being added to all other views
- exclude: excludes a command or an interface from the view.
- all : a wildcard that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view.
- Interface: interface that is added to the view.
- command: command that is added to the view.
eg:
Router(config)#enable secret cisco
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#enable view
Password: //cisco
Router#%PARSER-6-VIEW_SWITCH: successfully set to view ‘root’.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#parser view frank
Router(config-view)#%PARSER-6-VIEW_CREATED: view ‘frank’ successfully created.
Router(config-view)#secret ciscofrank
Router(config-view)#command exec include all show // allow show command
Router(config-view)#command exec include all config terminal // allow config terminal command
Router(config-view)#command exec include all debug // allow debug command
Router(config-view)#endRouter#
%SYS-5-CONFIG_I: Configured from console by console
Router#enable view frank
Password: //ciscofrank
Router#%PARSER-6-VIEW_SWITCH: successfully set to view ‘frank’.
Router#
Configuring role-based CLI superviews
There are four steps to create and manage a superview:
Step 1. Create a view using the parser view view-name superview
command and enter superview configuration mode.
Step 2. Assign a secret password to the view using the secret encrypted-password
command.
Step 3. Assign an existing view using the view view-name
command in view configuration mode.
- Adds a CLI view to a superview
- Multiple views can be added
- Views may be shared between superviews
Step 4. Exit superview configuration mode by typing the exit command.
More than one view can be assigned to a superview, and views can be shared between superviews.
To access existing views, enter the enable view view-name command in user mode and enter the password that was assigned to the custom view. Use the same command to switch from one view to another.