Home
Certification Preparation
Cisco
CCNA & CCENT
CCNA Security
Privilege Level vs Parser View
MikeO5422
I am having some difficulty understanding the difference between a privilege level and a parser view. From what I understand, both allow you to assign commands to a view or privilege level. What is the difference between the two? The book I have really does a poor job at explaining parser views and I am finding very limited information on it. Any ideas?!
Find more posts tagged with
Comments
ChooseLife
That's a very good question. The two are generally similar, but parser views are more flexible.
Privilege levels implement a hierarchy that makes a higher level have access to all commands granted to a lower level, which makes it practically impossible to configure them for more than one non-overlapping roles. Parser views are independent from one another and thus are more flexible. Inheritance is possible with parser views (using superviews), but that's a feature, not an unavoidable obstacle.
One example:
Role A should only be able to view interface statuses
Role B should only be able to view routing table
Role C should be able to view interfaces statuses, routing table, and enable/disable interfaces.
This can be done with parser views in a straightforward manner (and using meaningful labels as an extra bonus), whereas with privilege level, it's impossible to configure roles A and B in such way that one wouldn't inherit the other (because one would have a higher level).
Hope that helps.
MikeO5422
That is very helpful and makes a lot of sense. Thank you.
dredlord
In a nut shell a view allows you to specify exactly what commands are available, lets say for help desk support you will only grant show commands, a privilege level on the other hand will automatically grant access to commands defined at privilege level X and any lower privilege level commands. Hence a view is more granular.
AMD4EVER
Just ran across this topic after wondering about the difference myself and thought I would do a reply so it would pop up on the forums for others. It is a subtle sort of difference that I can imagine being made into a test question
Hondabuff
Parser views get assigned a privilege level. For example, Engineers would have a username and login locally to the switch that would allow them Priv level 15. A NOC employee would have a username and password "Parser view" that would give them Privilege level of 7 and you would lock out commands such as "configure terminal, reload, etc". Parser views are not scalable and not used in production environments that I ever ran across. Most enterprises will use a Cisco ACS server utilizing TACACS and you assign Priv levels to a group and assign the person(s) to a group that has the proper permission levels.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
