Parser Views or Custom Exec Levels?

mistabrumley89

I understand that you can tweak each one to your own liking, but what would be an instance where you would want to use both?

mistabrumley89

BUMP! Still curious. And I'm also talking about more of a production environment, where an ACS server is used, not a local user database. Thanks!

jude56g

I'm still studying this topic, but I'll attempt to answer since nobody else has.

I think that in most cases you would choose one or the other. In my environment we use custom exec levels because it easier to implement. I can create a user account with Priv level 4 and give that to the help desk, its quick and easy and it give them all the show commands they need. If I wanted to be more granular I could create parser views and specify only particular show commands, but also allow them to enter config mode and perform specific functions like "clear" & "shut" ect.

Using them both at the same time may have some advantage if you combined the two, but I would have to lab that to see how it works...

EdTheLad

An instance to use both would be if you have users that needed to see the complete running-config, but you want to limit their permissions.
Without the parser view you assign a user an exec level, the user can see all commands but is authorized to a subsection, the "show running" output will just show sections of config which are authorized.
If you enable a parser view with a subsection of commands, the user can only see those commands on the cli and therefore even if they have authorization to more commands, they cant execute them as they don't exist in the parser view.
Example:
If the user is given an exec level of 15, and a parser view including the command "show running" all they can do is see the running config.