[tac_plus] Per Device Command Authorization
wiechman.lists at gmail.com
Fri Nov 19 16:54:05 UTC 2010
At this point we are just going to go with giving the firewall admins full
access to the core as well... since that dept is... me. :)
And if I can't trust myself, no one can.
Thanks for all the comments.
> -----Original Message-----
> From: Kiss Gabor (Bitman) [mailto:kissg at ssg.ki.iif.hu]
> Sent: Thursday, November 18, 2010 1:36 PM
> To: Ben Wiechman
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Per Device Command Authorization
> > In our case we'd like to allow certain users read only type access on
> > devices, but give more access on certain devices to do things like
> > static NAT, etc. Firewall administrators need more permissions on the
> > firewalls, but not on backbone routers as another example.
> > I don't see any way to do this with the stock configuration, but I
> may be
> > missing something.
> > It looks like it might be possible with the multiple groups patch
> > (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely
> > on that either.
> I'm afraid also that it can't solve your problem.
> ACLs are for exec authorization only, not for commands.
> However I found a quick a dirty solution:
> Firewall admins might have two accounts on some hosts.
> E.g. user 'bill' may login into all routers but has few permissions.
> Meanwhile 'bill_fw' has more rights but can log in on very few NASs.
More information about the tac_plus