Command-Level Authorization

Command-Level Authorization
In some organizations, there may be more than one firewall administrator for the Security
Appliances. In those instances, you can provide those other admins with full rights/privileges
to the Security Appliances or curtail their ability to accomplish their assigned functions,
thereby reducing the chance of unintended (or sometimes malicious) events from occurring
on the firewall(s). The PIX operating system provides a mechanism of controlling what type
of command a user can execute.
The Security Appliance software version 6.2 and higher supports up to 16 privilege levels.
This is similar to what is available with IOS Software. With this feature, you can assign
Security Appliance commands to one of 16 levels, 0 through 15.
When commands and users have privilege levels set, the two levels are compared to
determine if a given user can execute a given command. If the user’s privilege level is lower
than the privilege level of the command, the user is prevented from executing the command.
In the default configuration, each Security Appliance command is assigned to either privilege
level 0 or privilege level 15.
The privilege command sets user-defined privilege levels for Security Appliance commands:
[no] privilege [show | clear | configure] level level
[mode enable | configure] command command
Table 4-2 shows the description of the privilege command parameters.
For example, the following commands set the privilege of the different command modifiers
of the access-list command:
Privilege show level 9 command access-list
Privilege configure level 11 command access-list
Privilege clear level 10 command access-list
The first line sets the privilege of show access-list (show modifier of command access-list) to
9. The second line sets the privilege level of the configure modifier to 11, and the last line sets
the privilege level of the clear modifier to 10.
To set the privilege of all the modifiers of the access-list command to a single privilege level
of 10, you would enter the following command:
Privilege level 10 command access-list
Once you have selected the commands for which you want to change the default privileges,
you enable the command authorization feature to either LOCAL or TACACS+. The
following command enables the command authorization feature to LOCAL:
aaa authorization command LOCAL
When users log in to Security Appliance, they can enter any command assigned to their
privilege level or to lower privilege levels. For example, a user account with a privilege level
of 15 can access every command because this is the highest privilege level. A user account
with a privilege level of 0 can access only the commands assigned to level 0.
For example, the following command assigns a privilege level of 10 to the user account
Fwadmin2:
username Fwadmin2 password cspfa2ed privilege 10
If no privilege level is specified, the user account is created with a privilege level of 2. You can
define as many user accounts as you need. If you are not sure what the privilege level assigned
to commands is, use the show running-config privilege all command to view the assignments.
To view the privilege level assignment of a specific command, enter the following command:
show running-config privilege command command
Replace command with the command for which you want to display the assigned privilege
level. For example, the following command displays the command assignment for the
capture command:
PXFW01# show running-config privilege command capture
privilege show level 15 command capture
privilege clear level 15 command capture
privilege configure level 15 command capture
Another useful command to see privilege level is the show curpriv command. This displays
the current privilege level. The following examples show output from the show curpriv
command for a user named noc_ops. Username indicates the name the user entered when he
or she logged in, P_PRIV indicates that the user has entered the enable command, and
P_CONF indicates the user has entered the config terminal command:
PIXFW01(config)# show curpriv
Username : noc_ops
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF
pixfirewall(config)# exit
To change between privilege levels, use the login command to access another privilege level
and the disable command to exit that level.