Options

Privilege Level vs Parser View

MikeO5422MikeO5422 Member Posts: 74 ■■□□□□□□□□
in CCNA Security
I am having some difficulty understanding the difference between a privilege level and a parser view. From what I understand, both allow you to assign commands to a view or privilege level. What is the difference between the two? The book I have really does a poor job at explaining parser views and I am finding very limited information on it. Any ideas?!
· Share on FacebookShare on Twitter

Comments

  • Options
    ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    That's a very good question. The two are generally similar, but parser views are more flexible.

    Privilege levels implement a hierarchy that makes a higher level have access to all commands granted to a lower level, which makes it practically impossible to configure them for more than one non-overlapping roles. Parser views are independent from one another and thus are more flexible. Inheritance is possible with parser views (using superviews), but that's a feature, not an unavoidable obstacle.

    One example:

    Role A should only be able to view interface statuses
    Role B should only be able to view routing table
    Role C should be able to view interfaces statuses, routing table, and enable/disable interfaces.

    This can be done with parser views in a straightforward manner (and using meaningful labels as an extra bonus), whereas with privilege level, it's impossible to configure roles A and B in such way that one wouldn't inherit the other (because one would have a higher level).

    Hope that helps.
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less     - discounted vouchers for certs
    · Share on FacebookShare on Twitter
  • Options
    MikeO5422MikeO5422 Member Posts: 74 ■■□□□□□□□□
    That is very helpful and makes a lot of sense. Thank you.
    · Share on FacebookShare on Twitter
  • Options
    dredlorddredlord Member Posts: 172
    In a nut shell a view allows you to specify exactly what commands are available, lets say for help desk support you will only grant show commands, a privilege level on the other hand will automatically grant access to commands defined at privilege level X and any lower privilege level commands. Hence a view is more granular.
    · Share on FacebookShare on Twitter
  • Options
    AMD4EVERAMD4EVER Member Posts: 64 ■■□□□□□□□□
    Just ran across this topic after wondering about the difference myself and thought I would do a reply so it would pop up on the forums for others. It is a subtle sort of difference that I can imagine being made into a test question
    · Share on FacebookShare on Twitter
  • Options
    HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    Parser views get assigned a privilege level. For example, Engineers would have a username and login locally to the switch that would allow them Priv level 15. A NOC employee would have a username and password "Parser view" that would give them Privilege level of 7 and you would lock out commands such as "configure terminal, reload, etc". Parser views are not scalable and not used in production environments that I ever ran across. Most enterprises will use a Cisco ACS server utilizing TACACS and you assign Priv levels to a group and assign the person(s) to a group that has the proper permission levels.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
    · Share on FacebookShare on Twitter
Sign In or Register to comment.