Privilege level for Junior Admin

In the environment where, Junior Admin is limited to just to view configuration  and probably use just certain commands on cisco devices, what kind of privilege is right for them ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Consider a JR-ADMIN account with level 1 and level 5 access, plus the reload command.

Documentation from Cisco regarding this is available here:
jskfanAuthor Commented:
the link above does not describe what each Level is capable of.
for instance if I give a user Level 1 or 2, and I do not know what Level 1 or 2 can do, then I might have given them too much or less that what they are supposed to do...

To be specific a Jr Admin needs to have all SHOW commands access.
He can create Vlans but do not delete any
He can create Vlan Interfaces but not Any.
He can use Session Monitors and capture the traffic with WireShark

how can this be done ?

jskfanAuthor Commented:
I meant:
He can create Vlan Interfaces but cannot delete  Any.
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

This can be accomplished, but it is not recommended absent a real business requirement.
Also,  how to grant all show commands such as "show run"  is hairy,  since  an admin can't actually
see  config statements regarding sections that they don't have access to.

My general recommendation would be backup your configurations and maintain regular config backups,  setup a syslog server and archiving and command logging to log every command any admin enters to the device, and give the Junior admin full access, assuming the Junior admin is a Junior network admin and not a helpdesk tech.

Explain the boundaries very clearly to the Jr admin.  regarding what he is allowed and not allowed to do.
Creating vlan interfaces is more than enough rope to blow up a router.

The first thing you need to learn is the ability to delegate responsibilities and trust people.

If the Junior admin is somebody you know you can't trust,  or can't show basic restraint and follow your guidelines,  then that is another matter entirely.
By default essentially all commands have Privilege Level 1 or Level 15.
A user logs in,  and the user is either assigned privilege level 1 or a local user specific privilege level.

You can use either an enable password for each privilege level, a privilege clause on their local user to set a login privilege level,  Or a privilege clause on the Console/VTY line itself.

Hopefully,  you understand what is involved to set a user level at a certain privilege
in the local user database, if using local AAA...  

Then you can place a user, into say privilege 8 and change exec and configure commands to require privilege 8. example:

username blah privilege 8 secret blahblah

privilege interface level 8 shutdown
privilege interface level 8 ip address
privilege interface level 8 ip
privilege configure all level 8 interface
privilege configure all level 8 monitor
privilege exec level 8 configure terminal
privilege exec level 8 configure
privilege exec level 5 show running-config
privilege exec level 1 show

This is not highly granular;  you choose commands and config sections to provide access to, this doesn't get highly specific down to "Can create a Vlan but not remove one".     More granular restrictions are possible through the use of a TACACS+ server.  With  Command Authorization  through AAA.

Unfortunately,  implementing a TACACS+  server with per-command authorization is a major project,
if you don't have that resource in place,  and much sugar for a dime,  just to limit one junior admin.

Again,  you might like to back down your desires about restricting to bare requirements,  as you will need man-hours for fine tuning anything overly specific.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Implementing privilege levels varies depending on the organization's structure and the different job functions that require access to the infrastructure devices. So let say an administrator could assign four levels of device access within an organization, then below is one option.
•A USER account (requiring level 1, not including ping)
•A SUPPORT account (requiring all level 1 access, plus the ping command)
•A JR-ADMIN account (requiring all level 1 and 5 access, plus the reload command)
•An ADMIN account (requiring complete access)

USER, has default level 1 (Router>) access, no custom privilege level is defined.

SUPPORT can be assigned a higher level access such as level 5 too. Level 5 automatically inherits the commands from levels 1 through 4. You can simply assign level 5 to even the basic ping command, use the following command sequence > privilege exec level 5 ping

JR-ADMIN account needs access to all level 1 and level 5 commands as well as the reload command. This account can also be assigned a higher level access, such as level 10 based on your use case and no of group. prefer to stay simple for managing role based assigned. But assume we want to go for level 10 then, to assign this level to the privileged EXEC mode reload command e.g.
>privilege exec level 10 reload
>username jr-admin privilege 10 secret cisco10
>enable secret level 10 cisco10
(note - To access level 10 mode, the password cisco10 is required.)

I also understand there is Role-based CLI provides three types of views which can be in same context discussed earlier on each group above.

•Root view - same access privileges as a user who has level 15 privileges. But it is not a level 15  user per se.  Only a root view user can configure a new view and add or remove commands from the existing views.

•CLI view - Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned all commands associated with that view

•Superview -  consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible

Overall, I find that one of the biggest challenges is to escalate user to a higher privileges just becaiuse he is not able to do it ad-hoc work or as mentioned to have access to certain resource, we can simply give the account all privileges but it break the meaning of having such enforcement.

So let's say, if an administrator really needs to create a user account (instead of having JR ADMIN) that has access to most but not all commands, then the privilege exec statements must be configured for every command that must be executed at a privilege level lower than 15. This can be a tedious process and we can lose sight easily. Better to have good case to shift user as perm (instead of ad-hoc) into each role for more informed decision.

Ref -
jskfanAuthor Commented:
The problem is there is no visibility for each privilege  Level what they can do by default.
Cisco should put online the document that says, if you grant Privilege level to a user:

Level 1 = they can do this and that
Level 2 = they can do this and that.
Level 15= they can do this and that

Based on what use can do out we we ll assign them to a specific level

Just like Microsoft Built-in Security groups (what they can do out of the box)
btanExec ConsultantCommented:
Indeed you are not wrong with this understanding and I believe it may not be possible to compare apple to oranges against Windows OS which is full fledged. Cisco does not go that granularity for permission and instead keave that to administrator to dedice and assign level to each command within IOS.

Many network administrators who work with the Cisco IOS may even never bother to think about the level of privilege they are using or the meaning of level. (probably that is why sysadmin and network admin are two folks un MNC or even SME).

In short, the best we can understand and the offering given is when it comes to assigning the different privilege levels in the Cisco IOS, the onus falls to user to manage it. Cisco just facilitate for us to enable whatsoever command accordingly based on the principles of higher your privilege level, the more router level no should be enabled. Otherwise for simplicity, Cisco routers are familiar with only two privilege levels by default. Doubt we expect any changes in IOS and likely can explore other consultancy aspect with the Cisco folks or partners...
jskfanAuthor Commented:
Thank you Guys!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.