Chapter 5 Setting Up and Managing Shared Profile Components
Command Authorization Sets
5-14
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
About Command Authorization Sets
Command authorization sets provide a central mechanism to control the
authorization of each command on each network device. This greatly enhances the
scalability and manageability of setting authorization restrictions. In
Cisco Secure ACS, the default command authorization sets include the Shell
Command Authorization Sets and the PIX Command Authorization Sets. Cisco
device-management applications, such as Management Center for PIX Firewall,
may be enabled to instruct ACS to support additional command authorization set
types.
To offer fine-grained control of device-hosted, administrative Telnet sessions, a
network device using can request authorization for each command line
before its execution. You can define a set of commands that are either permitted
or denied for execution by a particular user on a given device. Cisco Secure ACS
has further enhanced this capability as follows:
•
Reusable Named Command Authorization Sets—Without directly citing
any user or user group, you can create a named set of command
authorizations. You can define several command authorization sets, each
delineating different access profiles. For example, a “Help desk” command
authorization set could permit access to high level browsing commands, such
as “show run”, and deny any configuration commands. An “All network
engineers” command authorization set could contain a limited list of
permitted commands for any network engineer in the enterprise. A “Local
network engineers” command authorization set could permit all commands,
including IP-address configuration.
•
Fine Configuration Granularity—You can create associations between
named command authorization sets and NDGs. Thus, you are able to define
different access profiles for users depending on which network devices they
access. You can associate the same named command authorization set with
more than one NDG and use it for more than one user group.
Cisco Secure ACS enforces data integrity. Named command authorization
sets are kept in the CiscoSecure user database. You can use the
Cisco Secure ACS backup and restore features to backup and restore them.
You can also replicate command authorization sets to secondary
Cisco Secure ACSes along with other configuration data.
For command authorization set types that support Cisco device-management
applications, the benefits of using command authorization sets are similar. You
can enforce authorization of various privileges in a device-management