3.119.12. AuthorizeGroupAttr Previous topic Parent topic Child topic Next topic

If this parameter is specified, it specifies the name of an attribute in Access-Accept that will contain per-command authorisation patterns for authorising TACACS+ commands for this user. Multiple attributes are supported with each attribute containing one pattern. The format is the same as the AuthorizeGroup parameter above excluding the group name. These patterns are processed before any configured-in AuthorizeGroup parameters.
As an example, a users file to grant group1 member ‘mikem’ an additional right to use ping command would look like below. The Radiator <ServerTACACSPLUS> clause is configured with GroupMemberAttr OSC-Group-Identifier and AuthorizeGroupAttr OSC-Authorize-Group.
mikem User-Password=fred
      OSC-Group-Identifier = group1,
      OSC-Authorize-Group = "permit service=shell cmd=ping"