48
• XML element rule—Controls access to XML elements used for configuring the device.
• OID rule—Controls SNMP access to a MIB node and its child nodes. The path from the root node
to that node is uniquely identified by OID.
A user role can access the set of permitted commands, XML elements, and MIB nodes specified in the
user role rules. The user role rules include predefined (identified by sys-n) and user-defined user role rules.
For more information about the user role rule priority, see "Configuring user role rules."
Resource access policies
Resource access policies control access of user roles to system resources and include the following types:
• Interface policy—Controls access to interfaces.
• VLAN policy—Controls access to VLANs.
Resource access policies do not control access to the interface or VLAN options in the display commands.
You can specify these options in the display commands if the options are permitted by any user role rule.
Predefined user roles
The system provides predefined user roles. These user roles have access to all system resources (interfaces
and VLANs). However, their access permissions differ, as shown in Table 9.
A
mong all of the predefined user roles, only network-admin and level-15 can perform the following tasks:
• Access the RBAC feature.
• Change the settings in user line view, including user-role, authentication-mode, protocol inbound,
and set authentication password.
• Create, modify, and delete local users and local user groups. The other user roles can only modify
their own password if they have permissions to configure local users and local user groups.
Level-0 to level-14 users can modify their own permissions for any commands except for the display
history-command all command.
Table 9 Predefined roles and permissions matrix
User role name Permissions
network-admin
Accesses all features and resources in the system, except for the display
security-logfile summary, info-center security-logfile directory, and
security-logfile save commands.
network-operator
• Accesses the display commands for features and resources in the system.
To display all accessible commands of the user role, use the display role
command.
• Enables local authentication login users to change their own password.
• Accesses the command used for entering XML view.
• Accesses all read-type XML elements.
• Accesses all read-type MIB nodes.
To Next Page
Loading...
Need help?
General
