Parser View vs.Custom Privilege Level

veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5Greenville, SC USAPosts: 5,735Member ■■■■■■■■■■
I've been reading back through the OCG creating notes and I have a question. Why would you pick pick a Parser View over a custom privilege level and vice versa?
Currently working on: Linux and Python

Comments

  • DCDDCD Posts: 449Member
    Parser View allows you to customize the command you are allowed to execute. With the Parser View you could limit it to just the show command or restrict it to just a one or two show commands.
    With Privilege level you are allowed all the commands for that level no restrictions.
  • Master Of PuppetsMaster Of Puppets Posts: 1,210Member
    It is a lot more flexible and allows you to be more granular while the custom thing is restrictive. However, I don't really see any benefits of using the custom privilege level. It's not like the views are harder to configure, IMO.
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAPosts: 5,735Member ■■■■■■■■■■
    This is what I thought as well. The text wasn't all that thorough on usage so I wanted to hear from those in the field and see how it was being used.
    Currently working on: Linux and Python
  • Vask3nVask3n Posts: 517Member
    I think the main benefit of using Views is that a user can belong to multiple views whereas they can only belong to one Privilege level.
    Working on MS-ISA at Western Governor's University
  • Vask3nVask3n Posts: 517Member
    Vask3n wrote: »
    I think the main benefit of using Views is that a user can belong to multiple views whereas they can only belong to one Privilege level.


    I felt like whipping up this example, I know it's not realistic but basically just showing how you can have one user with multiple views

    R1(config)#aaa new-
    R1(config)#exit
    R1#enable view
    % Already inside the view root. [I was already in root view]
    R1#conf t
    Enter configuration commands, one per line. End with CNTL/Z.


    R1(config)#parser view Intern
    R1(config-view)#secret Cisco
    R1(config-view)#commands exec include all show
    R1(config-view)#exit


    R1(config)#parser view LAN_ENGINEER
    R1(config-view)#secret Cisco
    R1(config-view)#commands configure include all vlan
    R1(config-view)#exit


    R1(config)#parser view WAN_ENGINEER
    R1(config-view)#secret Cisco
    R1(config-view)#commands configure include all ip
    R1(config-view)#exit

    R1(config)#username adam view WAN_ENGINEER view LAN_ENGINEER secret 0 Cisco
    Working on MS-ISA at Western Governor's University
  • iamme4evaiamme4eva Posts: 272Member
    That's pretty useful Vask3n, thanks!
    Current objective: CCNA Security
    My blog: mybraindump.co.uk
  • iamme4evaiamme4eva Posts: 272Member
    I just tried that in GNS3, and it didn't work.

    The command was accepted, but when you do a show run after, it only actually shows the last view you entered on the line...

    so:

    username adam view WAN_ENGINEER view LAN_ENGINEER secret 0 Cisco

    would be

    username adam view LAN_ENGINEER secret 0 Cisco

    in the running config.

    EDIT: That set me off on a google hunt. Turns out you can assign multiple views to a "superview", and then assign a superview to a user.

    parser view VIEW_NAME superview
    view LAN_ENGINEER
    view WAN_ENGINEER
    exit
    username LANWANGUY view VIEW_NAME secret cisco

    Something like that.
    Current objective: CCNA Security
    My blog: mybraindump.co.uk
  • Vask3nVask3n Posts: 517Member
    Oh, thanks for checking that out! Kinda like creating a object group of views, I forgot there was the initial step with creating the superview!

    The interesting thing is that if you use context-sensitive help, it does list view as a valid next command after the first view is assigned, but it only takes the last one you entered.
    iamme4eva wrote: »
    I just tried that in GNS3, and it didn't work.

    The command was accepted, but when you do a show run after, it only actually shows the last view you entered on the line...

    so:

    username adam view WAN_ENGINEER view LAN_ENGINEER secret 0 Cisco

    would be

    username adam view LAN_ENGINEER secret 0 Cisco

    in the running config.

    EDIT: That set me off on a google hunt. Turns out you can assign multiple views to a "superview", and then assign a superview to a user.

    parser view VIEW_NAME superview
    view LAN_ENGINEER
    view WAN_ENGINEER
    exit
    username LANWANGUY view VIEW_NAME secret cisco

    Something like that.
    Working on MS-ISA at Western Governor's University
  • iamme4evaiamme4eva Posts: 272Member
    Hey, thanks for giving me something to look up! Parser Views was one of those things I just sort of skipped through and thought I just got - but as I've been reading and googling today, I've learned a lot more!
    Current objective: CCNA Security
    My blog: mybraindump.co.uk
Sign In or Register to comment.