Permission assignment
Assigning permissions to a user role includes the following:
Define a set of rules to determine accessible or inaccessible items for the user role. (See "User role rules.")
Configure resource access policies to specify which interfaces, VLANs, and VPNs are accessible to the user role. (See "Resource access policies.")
To use a command related to a resource (an interface, VLAN, or VPN), a user role must have access to both the command and the resource.
For example, a user role has access to the qos apply policy command and access only to interface Ten-GigabitEthernet 1/0/1. With this user role, you can enter the interface view and use the qos apply policy command on the interface. However, you cannot enter the view of any other interface or use the command on any other interface. If the user role has access to any interface but does not have access to the qos apply policy command, you cannot use the command on any interface.
User role rules
User role rules permit or deny access to commands, XML elements, or MIB nodes. You can define the following types of rules for different access control granularities:
Command rule—Controls access to a command or a set of commands that match a regular expression.
Feature rule—Controls access to the commands of a feature by command type.
Feature group rule—Controls access to commands of a group of features by command type.
XML element rule—Controls access to XML elements used for configuring the device.
OID rule—Controls SNMP access to a MIB node and its child nodes. An OID is a dotted numeric string that uniquely identifies the path from the root node to a leaf node.
The commands, XML elements, and MIB nodes are controlled based on the following types:
Read—Commands, XML elements, or MIB nodes that display configuration and maintenance information. For example, the display commands and the dir command.
Write—Commands, XML elements, or MIB nodes that configure the features in the system. For example, the info-center enable command and the debugging command.
Execute—Commands, XML elements, or MIB nodes that execute specific functions. For example, the ping command and the ftp command.
A user role can access the set of permitted commands, XML elements, and MIB nodes specified in the user role rules. The user role rules include predefined (identified by sys-n) and user-defined user role rules. For more information about the user role rule priority, see "Configuring user role rules."
Resource access policies
Resource access policies control access of user roles to system resources and include the following types:
Interface policy—Controls access to interfaces.
VLAN policy—Controls access to VLANs.
VPN instance policy—Controls access to VPNs.
Resource access policies do not control access to the interface, VLAN, or VPN options in the display commands. You can specify these options in the display commands if the options are permitted by any user role rule.
Predefined user roles
The system provides predefined user roles. These user roles have access to all system resources (interfaces, VLANs, and VPNs). However, their access permissions differ, as shown in Table 9.
Among all of the predefined user roles, only network-admin, and level-15 can perform the following tasks:
Access the RBAC feature.
Change the settings in user line view, including user-role, authentication-mode, protocol inbound, and set authentication password.
Create, modify, and delete local users and local user groups. The other user roles can only modify their own password if they have permissions to configure local users and local user groups.
The access permissions of the level-0 to level-14 user roles can be modified through user role rules and resource access policies. However, you cannot make changes on the predefined access permissions of these user roles. For example, you cannot change the access permission of these user roles to the display history-command all command.
Table 9: Predefined roles and permissions matrix
User role name | Permissions | ||||||||
---|---|---|---|---|---|---|---|---|---|
network-admin | Accesses all features and resources in the system, except for the display security-logfile summary, info-center security-logfile directory, and security-logfile save commands. | ||||||||
network-operator |
| ||||||||
level-n (n = 0 to 15) |
| ||||||||
security-audit | Security log manager. The user role has the following access to security log files:
For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see "Managing the file system."
Only the security-audit user role has access to security log files. |