Permission assignment
Use the following methods to assign permissions to a user role:
Define a set of rules to determine accessible or inaccessible items for the user role. (See "User role rules.")
Configure resource access policies to specify which resources are accessible to the user role. (See "Resource access policies.")
To use a command related to a system resource, a user role must have access to both the command and the resource.
For example, a user role has access to the vlan command and access only to VLAN 10. When the user role is assigned, you can use the vlan command to create VLAN 10 and enter its view. However, you cannot create any other VLANs. If the user role has access to VLAN 10 but does not have access to the vlan command, you cannot use the command to enter the view of VLAN 10.
When a user logs in to the device with any user role and enters <?> in a view, help information is displayed for the system-defined command aliases in the view. However, the user might not have the permission to access the command aliases. Whether the user can access the command aliases depends on the user role's permission to the commands corresponding to the aliases. For information about command aliases, see "Using the CLI."
A user that logs in to the device with any user role has access to the system-view, quit, and exit commands.
User role rules
User role rules permit or deny access to commands, XML elements, or MIB nodes. You can define the following types of rules for different access control granularities:
Command rule—Controls access to a command or a set of commands that match a regular expression.
Feature rule—Controls access to the commands of a feature by command type.
Feature group rule—Controls access to the commands of features in a feature group by command type.
XML element rule—Controls access to XML elements used for configuring the device.
OID rule—Controls SNMP access to a MIB node and its child nodes. An OID is a dotted numeric string that uniquely identifies the path from the root node to a leaf node.
The commands, XML elements, and MIB nodes are controlled based on the following types:
Read—Commands, XML elements, or MIB nodes that display configuration and maintenance information. For example, the display commands and the dir command.
Write—Commands, XML elements, or MIB nodes that configure the features in the system. For example, the info-center enable command and the debugging command.
Execute—Commands, XML elements, or MIB nodes that execute specific functions. For example, the ping command and the ftp command.
A user role can access the set of permitted commands, XML elements, and MIB nodes specified in the user role rules. The user role rules include predefined (identified by sys-n) and user-defined user role rules. For more information about the user role rule priority, see "Configuring user role rules."
Resource access policies
Resource access policies control access of a user role to system resources and include the following types:
Interface policy—Controls access to interfaces.
VLAN policy—Controls access to VLANs.
VPN instance policy—Controls access to VPN instances.
Resource access policies do not control access to the interface, VLAN, or VPN instance options in the display commands. You can specify these options in the display commands if the options are permitted by any user role rule.
Predefined user roles
The system provides predefined user roles. These user roles have access to all system resources (interfaces, VLANs, and VPN instances). However, their access permissions differ, as shown in Table 8.
Among all of the predefined user roles, only network-admin and level-15 can create, modify, and delete local users and local user groups. The other user roles can only modify their own passwords if they have permissions to configure local users and local user groups.
The access permissions of the level-0 to level-14 user roles can be modified through user role rules and resource access policies. However, you cannot make changes on the predefined access permissions of these user roles. For example, you cannot change the access permission of these user roles to the display history-command all command.
Table 8: Predefined roles and permissions matrix
User role name | Permissions | ||||||||
---|---|---|---|---|---|---|---|---|---|
network-admin | Accesses all features and resources in the system, except for the display security-logfile summary, info-center security-logfile directory, and security-logfile save commands. | ||||||||
network-operator |
| ||||||||
level-n (n = 0 to 15) |
| ||||||||
security-audit | Security log manager. The user role has the following access rights to security log files:
For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see "Managing file systems."
Only the security-audit user role has access to security log files. You cannot assign the security-audit user role to non-AAA authentication users. |