Cisco 7604 Configuration Manual page 539

Chapter 23 Configuring Management Access
show | clear | cmd—These optional keywords let you set the privilege only for the show, clear, or
•
configure form of the command. The configure form of the command is typically the form that
causes a configuration change, either as the unmodified command (without the show or clear prefix)
or as the no form. If you do not use one of these keywords, all forms of the command are affected.
level level—A level between 0 and 15.
•
mode {enable | configure}—If a command can be entered in user EXEC/privileged EXEC mode as
•
well as configuration mode, and the command performs different actions in each mode, you can set
the privilege level for these modes separately:
–
–
command command—The command you are configuring. You can only configure the privilege
•
level of the main command. For example, you can configure the level of all aaa commands, but not
the level of the aaa authentication command and the aaa authorization command separately.
Also, you cannot configure the privilege level of commands that are in a configuration mode entered
by the main command separately from the main command. For example, you can configure the
context command, but not the allocate-interface command, which inherits the settings from the
context command.
To enable local command authorization, enter the following command:
Step 2
hostname(config)# aaa authorization command LOCAL
Even if you set command privilege levels, command authorization does not take place unless you enable
command authorization with this command.
For example, the filter command has the following forms:
filter (represented by the configure option)
•
show running-config filter
•
clear configure filter
•
You can set the privilege level separately for each form, or set the same privilege level for all forms by
omitting this option. For example, set each form separately as follows.
hostname(config)# privilege show level 5 command filter
hostname(config)# privilege clear level 10 command filter
hostname(config)# privilege cmd level 10 command filter
Alternatively, you can set all filter commands to the same level:
hostname(config)# privilege level 5 command filter
The show privilege command separates the forms in the display.
The following example shows the use of the mode keyword. The enable command must be entered from
user EXEC mode, while the enable password command, which is accessible in configuration mode,
requires the highest privilege level.
hostname(config)# privilege cmd level 0 mode enable command enable
hostname(config)# privilege cmd level 15 mode cmd command enable
hostname(config)# privilege show level 15 mode cmd command enable
The following example shows an additional command, the configure command, that uses the mode
keyword:
hostname(config)# privilege show level 5 mode cmd command configure
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
enable—Specifies both user EXEC mode and privileged EXEC mode.
configure—Specifies configuration mode, accessed using the configure terminal command.
AAA for System Administrators
23-17