Read-only ADSM access (Cisco Pix/asa)

I need to grant some of our helpdesk users limited ASDM access. They need to be able to see the firewall rules, but not be able to make changes.

Granting read-only ASDM access only gives access to the home and monitoring "pages" and not the configuration.

I'd like to be able to create a user level (e.g. 5) that allows this, but I'm not sure how.
LVL 4
jonhicksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
IIRC, you use local AAA authorization and the command:

username <username> password <the password> encrypted privilege 5

That should use the predefined user priveleges for read only access to the ASDM.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MikeKaneCommented:
And, BTW,  Monitoring only access is privilege 3, not 5.
0
jonhicksAuthor Commented:
Ah, so there are pre-defined levels between 2 and 15? I thought you had to manually configure your own custom levels. I'll give this a go... thanks.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

MikeKaneCommented:
FYI:


Predefined User Account Command Privilege Setup

This pane asks whether you want the security appliance to set up user profiles named Admin, Read Only, and Monitor Only. You get to this pane by clicking Restore Predefined user Account Privileges on the Authorization tab of the Authentication/Authorization/Accounting pane.
0
jonhicksAuthor Commented:
Cheers. The solution was on the AAA Access / Authorization page, as per http://www9.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/devaccss.html#wp1286594.


 Assigning Privilege Levels to Commands and Enabling Authorization   To assign a command to a new privilege level, and enable authorization,  follow these steps:   Step 1      To enable command authorization, go to  Configuration > Device Management > Users/AAA > AAA Access >  Authorization, and check the Enable authorization for  command access > Enable check box.   Step 2      From the Server Group drop-down list,  choose LOCAL.   Step 3      When you enable local command  authorization, you have the option of manually assigning privilege  levels to individual commands or groups of commands or enabling the  predefined user account privileges.   • To use predefined user account  privileges, click Set ASDM Defined User Roles.   The ASDM Defined User Roles Setup dialog box shows the commands and  their levels. Click Yes to use the predefined user  account privileges: Admin (privilege level 15, with full access to all  CLI commands; Read Only (privilege level 5, with read-only access); and  Monitor Only (privilege level 3, with access to the Monitoring section  only).
Level 3 = monitoring, Level 5 = read-only, Level 15 = admin.
0
jonhicksAuthor Commented:
see cisco user guide for complete explanation.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.