This configuration will allow you users to connect to the appliance using SSH, and authenticate themselves into enable mode.
!— Configure user
username MyUser password
!— Configure SSH-authentication to query the local user database of the appliance
aaa authentication ssh console LOCAL
!— Access restrictions based on IP
!— ssh <IP> <Mask> <Interface>
ssh 220.127.116.11 255.255.255.255 inside
ssh 172.20.20.0 255.255.255.0 Mgmt
!— Default SSH timeout is 5 minutes, so you may want to increase it a tad
ssh timeout 15
!— DONE… almost.
If you also configure VPN users in local user database, all the users get access to the appliance and you may want to restrict this access.
This is done by command authorization.
!— Command authorization for console connections
aaa authorization exec LOCAL
!— Configure user-access
!— service-type admin gives full access (ASDM, SSH, HTTPS, etc)
!— service-type nas-prompt gives CLI-access
!— service-type remote-access denies all management-access, but may connect using VPN.
username MyUser attributes
!— In order to keep the enable password secret, we want the users to authenticate themselves into elevated mode as well.
aaa authentication enable console LOCAL