ASA limit CLI and ASDM access to specific users
To limit user CLI and ASDM access for users in the local database of a Cisco ASA, perform the following steps:
aaa authorization exec authentication-server
Enables management authorization for local, RADIUS, LDAP (mapped), and TACACS+ users. Also enables support of administrative user privilege levels from RADIUS, which can be used in conjunction with local command privilege levels for command authorization.
Next, set the service-type for each user. By default, the service type is admin, which allows full access to any services specified by the aaa authentication console
command. This must be changed like so for the specific user:
hostname(config-username)# service-type remote-access
The remote-access
keyword denies management access. The user cannot use any services specified by the aaa authentication console LOCAL
commands.