ASA limit CLI and ASDM access to specific users
To limit user CLI and ASDM access for users in the local database of a Cisco ASA, perform the following steps:
aaa authorization exec authentication-server
Enables management authorization for local, RADIUS, LDAP (mapped), and TACACS+ users. Also enables support of administrative user privilege levels from RADIUS, which can be used in conjunction with local command privilege levels for command authorization.
Next, set the service-type for each user. By default, the service time is admin, which allows full access to any services specified by the
aaa authentication console command. This must be changed like so for the specific user:
hostname(config-username)# service-type remote-access
remote-access keyword denies management access. The user cannot use any services specified by the
aaa authentication console LOCAL commands.