Permission assignment

Assigning permissions to a user role includes the following:

To use a command related to a resource (an interface, VLAN, or VPN), a user role must have access to both the command and the resource.

For example, a user role has access to the qos apply policy command and access only to interface Ten-GigabitEthernet 1/0/1. With this user role, you can enter the interface view and use the qos apply policy command on the interface. However, you cannot enter the view of any other interface or use the command on any other interface. If the user role has access to any interface but does not have access to the qos apply policy command, you cannot use the command on any interface.

User role rules

User role rules permit or deny access to commands, XML elements, or MIB nodes. You can define the following types of rules for different access control granularities:

The commands, XML elements, and MIB nodes are controlled based on the following types:

A user role can access the set of permitted commands, XML elements, and MIB nodes specified in the user role rules. The user role rules include predefined (identified by sys-n) and user-defined user role rules. For more information about the user role rule priority, see "Configuring user role rules."

Resource access policies

Resource access policies control access of user roles to system resources and include the following types:

Resource access policies do not control access to the interface, VLAN, or VPN options in the display commands. You can specify these options in the display commands if the options are permitted by any user role rule.

Predefined user roles

The system provides predefined user roles. These user roles have access to all system resources (interfaces, VLANs, and VPNs). However, their access permissions differ, as shown in Table 9.

Among all of the predefined user roles, only network-admin, and level-15 can perform the following tasks:

The access permissions of the level-0 to level-14 user roles can be modified through user role rules and resource access policies. However, you cannot make changes on the predefined access permissions of these user roles. For example, you cannot change the access permission of these user roles to the display history-command all command.

Table 9: Predefined roles and permissions matrix

User role name

Permissions

network-admin

Accesses all features and resources in the system, except for the display security-logfile summary, info-center security-logfile directory, and security-logfile save commands.

network-operator

  • Accesses the display commands for features and resources in the system. To display all accessible commands of the user role, use the display role command.

  • Enables local authentication login users to change their own password.

  • Accesses the command used for entering XML view.

  • Accesses all read-type XML elements.

  • Accesses all read-type MIB nodes.

level-n (n = 0 to 15)

  • level-0—Has access to diagnostic commands, including ping, quit, ssh2, super, system-view, telnet, and tracert. Level-0 access rights are configurable.

  • level-1—Has access to the display commands of all features and resources in the system except display history-command all. The level-1 user role also has all access rights of the level-0 user role. Level-1 access rights are configurable.

  • level-2 to level-8, and level-10 to level-14—Have no access rights by default. Access rights are configurable.

  • level-9—Has access to most of the features and resources in the system. If you are logged in with a local user account that has a level-9 user role, you can change the password in the local user account. The following are the major features and commands that the level-9 user role cannot access:

    • RBAC non-debugging commands.

    • Local users.

    • File management.

    • Device management.

    • The display history-command all command.

  • level-15—Has the same rights as network-admin.

security-audit

Security log manager. The user role has the following access to security log files:

  • Accesses to the commands for displaying and maintaining security log files (for example, the dir, display security-logfile summary, and more commands).

  • Accesses to the commands for managing security log files and security log file system (for example, the info-center security-logfile directory, mkdir, and security-logfile save commands).

For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see "Managing the file system."


[IMPORTANT: ]

IMPORTANT:


Only the security-audit user role has access to security log files.