Continuing with Section 8 ... Privilege Levels are ordered values from 0 to 15 with each level representing a privilege level that is a superset of the next lower value.
* nit: perhaps this could be "each level is defined to be a superset of the next lower value", instead of "representing". If a client uses a different privilege level scheme, then it must map the privilege level to scheme above. * editorial :"... to A scheme..." * and how is mapping done? It might be better to just omit that sentence. Privilege Levels are applied in two ways in the TACACS+ protocol: * nit: perhaps "used" instead of "applied" - As an argument in authorization EXEC phase (when service=shell and cmd=NULL), where it is primarily used to set the initial privilege level for the EXEC session. * how does that work? And what does it mean to set an initial privilege level? - In the packet headers for Authentication, Authorization and Accounting. The privilege level in the header is primarily significant in the Authentication phase for enable authentication where a different privilege level is required. * again, how does that work? Additional text would be useful. e.g. In typical use-cases, an administrator can perform a series of commands at a low privilege level. When additional privileges are required, the administrator can authenticate at the desired level, perform a series of commands, and the drop privilege level to the lower one. This methodology minimizes possible errors by using high privilege levels only when necessary, and using low privilege levels for most commands. * expanding on the use-case and work flow would be of great benefit. The use of Privilege levels to determine session-based access to commands and resources is not mandatory for clients, but it is in common use so SHOULD be supported by servers. * and clients, presumably? Perhaps instead, say: It is RECOMMENDED that clients and servers use Privilege levels to signal and control session-based access. It is RECOMMENDED that clients permit users to change their Privilege levels, so as to ensure that commands are executed with the minimum Privilege level required. 9. TACACS+ Security Considerations * there is a lot which can be said here. My proposal here is a substantial amount of text. I'll include it in another message _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg