Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipmentCatalyst 3750X-48PF
61626364656667686970
Cisco Cat3K ST 6 June 2012
64
TOE SFRs How the SFR is Met
time threshold.
FDP_ACC.2/FDP_ACF.1
FMT_SMR.1
The TOE switch platform maintains administrative privilege level and non-
administrative access. Non-administrative access is granted to authenticated
neighbor routers for the ability to receive updated routing tables per the
information flow rules. There is no other access or functions associated with
non-administrative access. The administrative privilege levels include:
Administrators are assigned to privilege levels 0 and 1. Privilege levels
0 and 1 are defined by default and are customizable. These levels have
a very limited scope and access to CLI commands that include basic
functions such as login, show running system information, turn on/off
privileged commands, logout.
Semi-privileged administrators equate to any privilege level that has a
subset of the privileges assigned to level 15; levels 2-14. These levels
are undefined by default and are customizable. The custom level
privileges are explained in the example below.
Privileged administrators are equivalent to full administrative access to
the CLI, which is the default access for IOS privilege level 15.
Note, the levels are not hierarchical.
For levels, level 0 is the most restrictive and 15 is the least restrictive.
For level 0, there are five commands associated with privilege level 0: disable,
enable, exit, help, and logout. However, the level could be configured to allow a
user to have access to the ‘show’ command.
Level 1 is normal EXEC-mode user privileges
Following is an example of how privileges are set and rules in setting privilege
levels and assigning users to those privilege levels. Note, that the administrator
needs to have the appropriate privilege level or the applicable password to
execute the command.
When setting the privilege level for a command with multiple words
(commands), the commands starting with the first word will also have the
specified access level. For example, if the show ip route command is set to
level 15, the show commands and show ip commands are automatically set to
privilege level 15—unless they are individually set to different levels. This is
necessary because a user cannot execute, for example, the show ip command
unless the user also has access to show commands.
To change the privilege level of a group of commands, the all keyword is used.
When a group of commands is set to a privilege level using the all keyword, all
commands which match the beginning string are enabled for that level, and all
commands which are available in submodes of that command are enabled for
that level. For example, if the show ip keywords is set to level 5, show and ip
will be changed to level 5 and all the options that follow the show ip string