Parser View vs.Custom Privilege Level

veritas_libertas · July 2013

I've been reading back through the OCG creating notes and I have a question. Why would you pick pick a Parser View over a custom privilege level and vice versa?

DCD · July 2013

Parser View allows you to customize the command you are allowed to execute. With the Parser View you could limit it to just the show command or restrict it to just a one or two show commands.
With Privilege level you are allowed all the commands for that level no restrictions.

Master Of Puppets · July 2013

It is a lot more flexible and allows you to be more granular while the custom thing is restrictive. However, I don't really see any benefits of using the custom privilege level. It's not like the views are harder to configure, IMO.

veritas_libertas · July 2013

This is what I thought as well. The text wasn't all that thorough on usage so I wanted to hear from those in the field and see how it was being used.

Vask3n · August 2013

I think the main benefit of using Views is that a user can belong to multiple views whereas they can only belong to one Privilege level.

Vask3n · August 2013

Vask3n wrote: »

I think the main benefit of using Views is that a user can belong to multiple views whereas they can only belong to one Privilege level.

I felt like whipping up this example, I know it's not realistic but basically just showing how you can have one user with multiple views

R1(config)#aaa new-
R1(config)#exit
R1#enable view
% Already inside the view root. [I was already in root view]
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#parser view Intern
R1(config-view)#secret Cisco
R1(config-view)#commands exec include all show
R1(config-view)#exit

R1(config)#parser view LAN_ENGINEER
R1(config-view)#secret Cisco
R1(config-view)#commands configure include all vlan
R1(config-view)#exit

R1(config)#parser view WAN_ENGINEER
R1(config-view)#secret Cisco
R1(config-view)#commands configure include all ip
R1(config-view)#exit

R1(config)#username adam view WAN_ENGINEER view LAN_ENGINEER secret 0 Cisco

iamme4eva · August 2013

That's pretty useful Vask3n, thanks!

iamme4eva · August 2013

I just tried that in GNS3, and it didn't work.

The command was accepted, but when you do a show run after, it only actually shows the last view you entered on the line...

so:

username adam view WAN_ENGINEER view LAN_ENGINEER secret 0 Cisco

would be

username adam view LAN_ENGINEER secret 0 Cisco

in the running config.

EDIT: That set me off on a google hunt. Turns out you can assign multiple views to a "superview", and then assign a superview to a user.

parser view VIEW_NAME superview
view LAN_ENGINEER
view WAN_ENGINEER
exit
username LANWANGUY view VIEW_NAME secret cisco

Something like that.

Vask3n · August 2013

Oh, thanks for checking that out! Kinda like creating a object group of views, I forgot there was the initial step with creating the superview!

The interesting thing is that if you use context-sensitive help, it does list view as a valid next command after the first view is assigned, but it only takes the last one you entered.

iamme4eva wrote: »

I just tried that in GNS3, and it didn't work.

The command was accepted, but when you do a show run after, it only actually shows the last view you entered on the line...

so:

username adam view WAN_ENGINEER view LAN_ENGINEER secret 0 Cisco

would be

username adam view LAN_ENGINEER secret 0 Cisco

in the running config.

EDIT: That set me off on a google hunt. Turns out you can assign multiple views to a "superview", and then assign a superview to a user.

parser view VIEW_NAME superview
view LAN_ENGINEER
view WAN_ENGINEER
exit
username LANWANGUY view VIEW_NAME secret cisco

Something like that.

iamme4eva · August 2013

Hey, thanks for giving me something to look up! Parser Views was one of those things I just sort of skipped through and thought I just got - but as I've been reading and googling today, I've learned a lot more!

Parser View vs.Custom Privilege Level

Comments