5-15
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 5 Setting Up and Managing Shared Profile Components
Command Authorization Sets
application by applying command authorization sets to Cisco Secure ACS groups
that contain users of the device-management application. The Cisco Secure ACS
groups can correspond to different roles within the device-management
application and you can apply different command authorization sets to each
group, as applicable.
For information on assigning command authorization sets, see the following
procedures:
•
Shell Command Authorization Sets—See either of the following:
–
Configuring a Shell Command Authorization Set for a User Group,
page 6-31
–
Configuring a Shell Command Authorization Set for a User, page 7-25
•
PIX Command Authorization Sets—See either of the following:
–
Configuring a PIX Command Authorization Set for a User Group,
page 6-33
–
Configuring a PIX Command Authorization Set for a User, page 7-28
•
Device Management Command Authorization Sets—See either of the
following:
–
Configuring Device-Management Command Authorization for a User
Group, page 6-35
–
Configuring Device Management Command Authorization for a User,
page 7-30
About Pattern Matching
For permit/deny command arguments, Cisco Secure ACS applies pattern
matching. That is, the argument permit wid matches any argument that contains
the string wid. Thus, for example, permit wid would allow not only the argument
wid but also the arguments anywid and widget.
To limit the extent of pattern matching you can add the following expressions:
•
dollarsign ($)—Expresses that the argument must end with what has gone
before. Thus permit wid$ would match against wid or anywid, but not
widget.
•
caret (^)—Expresses that the argument must begin with what follows. Thus
permit ^wid would match against wid or widget, but not against anywid.