Permission assignment

Use the following methods to assign permissions to a user role:

• Define a set of rules to determine accessible or inaccessible items for the user role. (See "User role rules.")

• Configure resource access policies to specify which resources are accessible to the user role. (See "Resource access policies.")

To use a command related to a system resource, a user role must have access to both the command and the resource.

For example, a user role has access to the vlan command and access only to VLAN 10. When the user role is assigned, you can use the vlan command to create VLAN 10 and enter its view. However, you cannot create any other VLANs. If the user role has access to VLAN 10 but does not have access to the vlan command, you cannot use the command to enter the view of VLAN 10.

When a user logs in to the device with any user role and enters <?> in a view, help information is displayed for the system-defined command aliases in the view. However, the user might not have the permission to access the command aliases. Whether the user can access the command aliases depends on the user role's permission to the commands corresponding to the aliases. For information about command aliases, see "Using the CLI."

A user that logs in to the device with any user role has access to the system-view, quit, and exit commands.

User role rules permit or deny access to commands, XML elements, or MIB nodes. You can define the following types of rules for different access control granularities:

• Command rule—Controls access to a command or a set of commands that match a regular expression.

• Feature rule—Controls access to the commands of a feature by command type.

• Feature group rule—Controls access to the commands of features in a feature group by command type.

• XML element rule—Controls access to XML elements used for configuring the device.

• OID rule—Controls SNMP access to a MIB node and its child nodes. An OID is a dotted numeric string that uniquely identifies the path from the root node to a leaf node.

The commands, XML elements, and MIB nodes are controlled based on the following types:

• Read—Commands, XML elements, or MIB nodes that display configuration and maintenance information. For example, the display commands and the dir command.

• Write—Commands, XML elements, or MIB nodes that configure the features in the system. For example, the info-center enable command and the debugging command.

• Execute—Commands, XML elements, or MIB nodes that execute specific functions. For example, the ping command and the ftp command.

A user role can access the set of permitted commands, XML elements, and MIB nodes specified in the user role rules. The user role rules include predefined (identified by sys-n) and user-defined user role rules. For more information about the user role rule priority, see "Configuring user role rules."

Resource access policies control access of a user role to system resources and include the following types:

• Interface policy—Controls access to interfaces.

• VLAN policy—Controls access to VLANs.

• VPN instance policy—Controls access to VPN instances.

Resource access policies do not control access to the interface, VLAN, or VPN instance options in the display commands. You can specify these options in the display commands if the options are permitted by any user role rule.

The system provides predefined user roles. These user roles have access to all system resources (interfaces, VLANs, and VPN instances). However, their access permissions differ, as shown in Table 8.

Among all of the predefined user roles, only network-admin and level-15 can perform the following tasks:

• Access the RBAC feature.

• Change the settings in user line view, including the user-role, authentication-mode, protocol inbound, and set authentication password commands.

• Create SNMP communities, users, and groups by using the snmp-agent community, snmp-agent usm-user, and snmp-agent group commands, respectively.

• Create, modify, and delete local users and local user groups. The other user roles can only modify their own passwords if they have permissions to configure local users and local user groups.

The access permissions of the level-0 to level-14 user roles can be modified through user role rules and resource access policies. However, you cannot make changes on the predefined access permissions of these user roles. For example, you cannot change the access permission of these user roles to the display history-command all command.

User role name	Permissions
network-admin	Accesses all features and resources in the system, except for the display security-logfile summary, info-center security-logfile directory, and security-logfile save commands.
network-operator	Accesses the display commands for features and resources in the system. To display all accessible commands of the user role, use the display role command. Enables local authentication login users to change their own passwords. Accesses the command used for entering XML view. Accesses all read-type XML elements. Accesses all read-type MIB nodes.
level-n (n = 0 to 15)	level-0—Has access to diagnostic commands, including ping, tracert, ssh2, telnet, and super. Level-0 access rights are configurable. level-1—Has access to the display commands of all features and resources in the system except for display history-command all. The level-1 user role also has all access rights of the level-0 user role. Level-1 access rights are configurable. level-2 to level-8, and level-10 to level-14—Have no access rights by default. Access rights are configurable. level-9—Has access to most of the features and resources in the system. If you are logged in with a local user account that has a level-9 user role, you can change the password in the local user account. The following are the major features and commands that the level-9 user role cannot access: RBAC non-debugging commands. Local users. File management. Device management. The display history-command all command. level-15—Has the same rights as network-admin.
security-audit	Security log manager. The user role has the following access rights to security log files: Accesses the commands for displaying and maintaining security log files (for example, the dir, display security-logfile summary, and more commands). Accesses the commands for managing security log files and security log file system (for example, the info-center security-logfile directory, mkdir, and security-logfile save commands). For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see "Managing the file system." IMPORTANT: Only the security-audit user role has access to security log files. You cannot assign the security-audit user role to non-AAA authentication users.