ASA limit CLI and ASDM access to specific users

To limit user CLI and ASDM access for users in the local database of a Cisco ASA, perform the following steps:

aaa authorization exec authentication-server

Enables management authorization for local, RADIUS, LDAP (mapped), and TACACS+ users. Also enables support of administrative user privilege levels from RADIUS, which can be used in conjunction with local command privilege levels for command authorization.

Next, set the service-type for each user. By default, the service type is admin, which allows full access to any services specified by the aaa authentication console command. This must be changed like so for the specific user:

hostname(config-username)# service-type remote-access

The remote-access keyword denies management access. The user cannot use any services specified by the aaa authentication console LOCAL commands.