5-13
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter5 Setting Up and Managing Shared Profile Components Command Authorizatio n Sets
About Command Authorization SetsCommand authorization sets provide a central mechanism to control the
authorization of each command on each network device. This greatly enhances the
scalability and manageability of setting authorization restrictions. In
Cisco Secure ACS, the default command authorization sets include the Shell
Command Authorization Sets and the PIX Command Authorization Sets. Other
Cisco network management applications, such as CiscoWorks2000, may be
enabled to instruct ACS to support additional command authorization set types.
To offer fine-grained control of network devices, by administrators, using a T elnet
administration session, a network device using TACACS+ can request
authorization for each command line before its execution. CiscoSecure ACS
administrators can define a set of commands, which are either permitted or denied
for execution by a particular user on a given device. CiscoSecure ACS has further
enhanced this capability as follows:
•Reusable Named Command Authorization Sets—You can create a named
set of device commands without directly citing any user or user group. The
administrator can define a number of device command sets, each of which
delineates different access profiles. For example, a “help desk” device
command set could permit access to high level browsing commands, such as
“show run”, and deny any configuration commands. An “All network
engineers” command set could contain a limited list of permitted device
commands for any network engineer in the enterprise. The “Local Network
Engineers” command set could permit all device commands, including
IP-address configuration.
•Finer Configuration Granularity—You can create associations between
named command authorization sets and NDGs. Thus, you are able to define
different access profiles for users depending on which network devices they
access. You can associate the same named command authorization set with
more than one NDG and use it for more than one user group.
Cisco Secure ACS enforces data integrity. Named command authorization
sets are kept in the CiscoSecure user database and can be backed up/restored
by the Cisco Secure ACS backup and restore features and replicated to
secondary Cisco Secure ACS servers along with other configuration.