User privilege level for configuration backup with PI 1.2
We have more than 50 devices handling by PI 1.2 (testing) I like to know how to do configuration archiving with user who doesn't have write privilege.
I tried like this.
username john privilege 6 password cisco
privilege exec level 6 show running-config
(result) show run --> blank
I tried this user with one of switch in PI 1.2. It did not do configuration backup
username inout password inout
username inout privilege 15 autocommand show running-config
(result) once logged in, it automatically showed running-config. However when I tried with PI 1.2 with this user (inout). I couldn't do configuration back.
reference
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
so, my question is this. what is the solution for me to create certain user with read-only privilege while PI 1.2 is able to do configuration archiving ?
thanks in advance
7.4 MSE code will in fact require an update of Prime 1.2 to 1.3.0.20-
It's pretty easy though and your licenses will still work from the Prime Infra side.
Here's a link to upgrade PI to 1.3
http://www.cisco.com/en/US/partner/docs/net_mgmt/prime/infrastructure/1.3/release/notes/cpi_rn_13.html#wp73605
I personally would go ahead with the upgrade of both:::
Similar Messages
-
Privileges required for database backup with RMAN
Hello,
We have 10g R2 on Solaris box. We use RMAN for backup and use the SYS account on the database to connect and take the backup.
Are there specific privileges that are required to take the database backup , so that I do not use the SYS account or the syspassword in the RMAN script.
I want to create an account and give only the privileges required to take the database backup and recover .
ThanksI think RMAN needs the SYSDBA privilege, so you won't gain much by switching from SYS to another user.
You don't need to store sys/password in a script. You can just :-
rman target / catalog xxx/yyy@catalog -
Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM
Hello,
I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
The remote server is NOT setting any privilege levels for users. There are also no aaa authorization commands present in the config.
So what privilege level do the users receive when they login with the ASDM? I'm being told that the users receive admin access which includes config write, reboot, and debug. But I cannot find any documentation stating hte default level.
Please advise. And providing links to cisco documentation would be great too.
Thanks,
BrendanHi Berendan,
Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
About Authorization
Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
•Management commands
•Network access
•VPN access
Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
Regards
Karthik -
Privilege level for the commands
Hi All,
I am trying to modify the privilege level of the commands in my router.
I need to understand what is the privilege level for the commands.
Is there a command in the IOS or a link with a document on the CCO with the criteria or the list of the command and its corresponded privile level.
Thanks
MatteoMatteo
I am not clear what it is that you are trying to do. But let me make a suggestion. While there are 16 privilege levels (0 through 15) there are two levels that are commonly used 1 and 15. 1 is what is usually called user mode and is the default level when someone first logs into the router. My suggestion is to identify what group of commands you do not want to be available in user mode, decide if they should be available in something less than 15, pick a level, and assign the commands to that level.
If you really do want to start from a list of commands and their privilege level, I do not think that you will find any single source which will accurately give you the privilege level for all commands. The closest you will find is to look in the command reference and find the command. The command reference will usually describe the privilege level. Unfortunately I have found a few situations where the description of privilege level was not correct.
My advice is that if you want to find the privilege level for some commands that you want to manipulate, that you get a router and try the command and determine what its privilege level is.
HTH
Rick -
Hello I bought a G-Raid GR4 4000 4 TB and used it for a backup with my new Imac27. Now this is all I get. "Time Machine couldn’t complete the backup to “G-RAID”. to complete backup. An error occurred while creating the backup folder."
Any idea what I should do?If you have more than one user account, these instructions must be carried out as an administrator.
Launch the Console application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Console in the icon grid.
Make sure the title of the Console window is All Messages. If it isn't, select All Messages from the SYSTEM LOG QUERIES menu on the left. If you don't see that menu, select
View ▹ Show Log List
from the menu bar.
Enter the word "Starting" (without the quotes) in the String Matching text field. You should now see log messages with the words "Starting * backup," where * represents any of the words "automatic," "manual," or "standard." Note the timestamp of the last such message. Clear the text field and scroll back in the log to that time. Select the messages timestamped from then until the end of the backup, or the end of the log if that's not clear. Copy them (command-C) to the Clipboard. Paste (command-V) into a reply to this message.
If all you see are messages that contain the word "Starting," you didn't clear the search box.
If there are runs of repeated messages, post only one example of each. Don't post many repetitions of the same message.
When posting a log extract, be selective. Don't post more than is requested.
Please do not indiscriminately dump thousands of lines from the log into this discussion.
Some personal information, such as the names of your files, may be included — anonymize before posting. -
Can legato be compatible for taking backups with RMAN
can legato software be compatible for taking backups with RMAN
oracle 10g
Message was edited by:
user531314Rman is so feature rich and yiou can integrate your third party backup software with rman to take backups, there is nothing to worry in your case, this is very much in the reach.
hare krishna
Alok -
PRIVILEGE LEVELS FOR ACS WITH AD DATABASE
How do I configure two separate privilige levels for two groups. These groups exist in the AD database i.e. my ACS (Pri & Backup) are looking in AD for authentication.
Hi ,
If you are using TACACS ,
Bring users/groups in at level needed
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter " priv "(1 to 15) in the adjacent field
If you are using RADIUS,
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host X.X.X.X key XXXX
Following is the configuration required in the Radius Server
The AV pair in the ACS -->group setup--> IETF RADIUS Attributes
[006] Service-Type = Login
/* Following is for getting the user straight in privledge mode */ to set priv 15
The AV pair in Cisco IOS/PIX RADIUS Attributes
[009\001] cisco-av-pair = shell:priv-lvl=15
For more information on above commands, please refer to the following link :-
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_c/fsaaa/index.htm
Please try the above and let me know if this helps.
Thanks -
Setting privilege level for logging into ASA through ACS
Hi!,
In my environment i implemented AAA for logging into switches, routers, asa etc through ACS which is being configured TACACS+.
I have set different privilege levels like readonly, readwrite etc into ACS. There are working fine when i try to login into switch or router.
But in ASA i am unable to restrict the privilege levels of different users.
Can someone plz guide me with ASA & ACS setting to solve this issue!!!!!Hi!!
I tried this option. It is working fine with routers & switches. But for ASA privilege access it is not functioning.
I created 3 profiles in "Shared Profiles" & added 1 of them in Group setting & added users to this group with mentioning group authentication. This way i am able to control access to the switches & routers with proper privilege. But the same way when i tried to impolement ASA it's not happening.
Can u plz check it out... -
Change in privilege level for the command show logging
I have recently discovered a change in behavior in IOS. The command show logging has traditionally been available at user level. Now it has become a privilege level 15 command.
I thought that this was strange and opened a case with Cisco TAC about it. I was told that this is a new "feature" that was implemented for bugid CSCsl61281. Unfortunately this bugid is viewable by Cisco internally but not viewable by the public.
The TAC engineer tells me that this change is integrated into these releases:
This was integrated into the following releases:
12.4(24.05.01)PIX11
12.4(21.14.09)PIC01
12.4(19.03)T
12.2(52.23)SIN
12.2(33)SXI01
12.2(32.08.11)SX229
12.2(32.08.11)SR174
I do not think that this is a good change. If you do not think that this is a good change I suggest that you contact your Cisco support team and express your opinion about this change.
Otherwise as you go to new versions of IOS be aware of the potential impact on your network monitoring processes and procedures that show logging will require level 15 privilege access.
HTH
RickHi Rick,
Can you suggest me references to know more about privilege level commands?
How to enable different commands for different levels of privileges?
Thanks.
-Sudhish -
Aironet 1600 privilege level for MAC Filtering
Hi,
I want to permit from a user profile with the telnet CLI command to configure the new MAC address on the dot11 association mac-list 700
I have create the user 14 with the followed commands:
enable secret level 14 5 **************
enable secret 5 **************
privilege configure level 14 access-list
privilege exec level 14 write memory
privilege exec level 14 write
privilege exec level 14 configure terminal
privilege exec level 14 configure
privilege exec level 14 show dot11 associations client
privilege exec level 14 show dot11 associations
privilege exec level 14 show dot11
privilege exec level 14 show access-lists
privilege exec level 14 show
Access from login privilege 14
1602AP16#show privile
Current privilege level is 14
1602AP16#show access-l
Bridge address access list 700
permit 100b.a965.7384 0000.0000.0000 (2 matches)
permit 0026.c659.b182 0000.0000.0000
permit 0019.d2c2.96c0 0000.0000.0000
OK
add the new MAC address
1602AP16(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
1602AP16(config)#access-list 700 permit 0026.c659.b182 0000.0000.0000
^
% Invalid input detected at '^' marker.
I can open the user level 14 config and when I add the new MAC address I received the " Invalid input detected " message
What is wrong ?
Is it only permit at level 15 ?
IOS version :
Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Thank you to shared me yours comments !
PatrickHi Patric,
Can u try this :
privilege configure level 14 access-list
and all other with priv 13.
privilege exec level 13 write memory
privilege exec level 13 write
privilege exec level 13 configure terminal
privilege exec level 13 configure
privilege exec level 13 show dot11 associations client
privilege exec level 13 show dot11 associations
privilege exec level 13 show dot11
privilege exec level 13 show access-lists
privilege exec level 13 show
and then try to configure it.
If still fails then u must use priv 15 .
Regards -
Custom privilege level for CSM commands
Is there a way to creat a custom privilege level to allow a user access to only CSM config commands while in config mode?? I'm trying to allow members of our server/web team to check on the status of the web servers and to take them out of service for maintenance....and not allow them access to change any other configs on the switch.
Thanks...JeffHere is an exampel for enable 5
enable secret level 5
privilege slb-lam-mode-real level 5 no inservice
privilege slb-lam-mode-real level 5 inservice
privilege slb-lam-mode-real level 5 inservice standby
privilege slb-lam-mode-csm-sfarm level 5 real
privilege slb-lam-mode-csm-sfarm level 5 real name
privilege slb-lam-mode-csm level 5 server
privilege configure level 5 module csm
privilege exec level 5 conf t
privilege exec level 5 exit -
WLC configuration Backup with WCS
Hi,
What kind of backup is done with the configuration Backup Task in the WCS Administration.
Is this a backup of the actual running config on the WLC or is it the saved (startup) config on the controller?
Is there a way to view/edit a configuration backup from the controller?
Can I create a task on the WCS to do a cyclic/automatic save configuration to flash?
Regards Christianthe configuration backup is for the controllers
and the files live wherever you specified the tftp server location on install of WCS.
The WLC backup is the running config from when the backup was completed.
go to your tftproot directory to view the config
If you are running a rev that outputs in xml format AND you are not encrypting it on the WLC.
I would not try editing the file. The hash will be altered and the config backup file will be useless.
You want WCS to be able to run the command 'save config' on each controller? How handy are you with tcl scripting? -
Creation of Sale Order for configurable material with availability check.
Hi,
We have a scenario in which the material is configurable. The configurable material (X) has few variants (Ex: X1, X2, X3, X4, X5). While booking the sale order, we use the material number (X).
Further, the material planning is done for the variants X1, X2, X3, X4, X5. The standard variants are planned for production in advance.
1. While booking the sale order, we want the availability check of the stock (type matching to happen). What needs to be done in configuration?
2. While booking the sale order, there is a possibility that the configuration selected will not match with any of the standard variants due to some additional requirements of the optional features, in such cases how to link the standard variants to the sale order & create requirement for additional requirements.
Regards,
UmeshHi Umesh,
1.Create material master for configurable material and variants in mm01.
2.Maintain BOM for the configurable material in CS01
3. Configur the variant configuration steps
a. Create charecteristics T.code CT04
b. Create values and assign classes
c. assign the values to charecteristics
d . Maitain dependence T.code CU01
e.create configuration profile t.code CU41
f.stimulate the configuration profile.
4. Do the availability check configuration through this path
IMG --> Sales and distribution > Basic functions ,> Availabilty check and Transfer of requirements.
5. Maintain the Availbility check field and MRP views in the material masters other wise you sit with PP people and do that
I hope it will help you
Regards,
Murali. -
What are the minimum db user privileges required for CDC?
What are the minimum privileges required for the source data server user in order to to successfully implement CDC
Currently I'm getting an "Insufficient privileges" error when trying to start a CDC journal on a model. The error is happening on the step that creates a trigger on the table in the source schema.
Here's the situation:
The data server uses the user "ODI_TEMP" for its connection. ODI_TEMP has been granted select privileges on the desired tables in the source schema. When starting the CDC journal on the model for the source schema, ODI tries to create a trigger on the source tables. This fails since the ODI_TEMP user can't create triggers on anything outside of it's own schema. For obvious fundamental security reasons, we cannot give the ODI_TEMP user the CREATE ANY TRIGGER system privilege on the data source.
Journalizing is set up using JKM Oracle Consistent. ODI is 11g, DB is 11g.Hi,
You can go for this
Grant CREATE ANY TRIGGER system privilege to ODI_TMP
Start the Journal , it will create triggers in ODI_TMP schema for the tables present in your source schema.
Now revoke CREATE ANY TRIGGER system privilege from ODI_TMP.
It will continue to work .. only when you are restarting the journal (due to adding or removing some tables in CDC) , you will be requiring CREATE ANY TRIGGER privilege.
Thanks,
Sutirtha -
GATP allocation check for configurable material with characteristic
Hi APO Gurus,
We are using configurable products and wanted to go for GATP allocation check based on Characteristics.
The scenario is goiven below,
All our products are configurable materials. At the entry of sales order , the characteristic values are updated and then the sales order is checked for GATP.
When the order come to APO-GATP for allocation check , here I want to check the allocation for configurable material.
But the allocation quantities are given for a combination of Configurable material and its characteristics.
How can we map such scenario?
Do I to create the CVC at family level that is configurable material level ?
How the characteristic values are considered in allocation.
Waiting for your reply.
regards,
Ravianswered.
Maybe you are looking for
-
My question on the above issue of MP3music HQ charging $40 is who are they? I was given no choice when I signed up for iTunes to add a $40 charge for MP3.
-
Media reconnection problem URGENT!
I am in a very urgent situation. Working on a feature length project and today after opening 2 sequences I was working on yesterday I had to relink media, because my scratch disks were not connected. While relinking, final cut pop up says that some c
-
Hi, I am trying to run the servicegen ant task withou running the setEnv.cmd file. My build process is very complex and I ned to include the WS generation in a standard way (run on a machine without wl install). I managed to do this withe wl6.1 stuff
-
Having Problems with Adobe Premiere Pro CC
Alright, So I downloaded and installed the Creative Cloud. I'm trying to download the Adobe Premiere Trail because I'm thinking of buying the product. However, After waiting so *******(Excuse the language, you have no idea how frustrating it is) long
-
I have lost my I-Phone. Is there a way to wipe it even though I can not find it?
I have lost my I-Phone. Is there a way to wipe it clean on line without access to the phone itself?