51
• Write—Commands and XML elements that configure the features in the system. For example, the
info-center enable command and the debugging command.
• Execute—Commands and XML elements that execute specific functions. For example, the ping
command and the ftp command.
A user role can access the set of permitted commands and XML elements specified in its rules. The user
role rules include predefined (identified by sys-n) and user-defined user role rules.
Resource access policies
Resource access policies control access of user roles to system resources and include the following types:
• Interface policy—Controls access to interfaces.
• VLAN policy—Controls access to VLANs.
• VPN instance policy—Controls access to VPNs.
Resource access policies do not control access to the interface, VLAN, or VPN options in the display
commands. You can specify these options in the display commands if they are permitted by any user role
rule.
Predefined user roles
The system provides 19 predefined user roles. All these user roles have access to all system resources
(interfaces, VLANs, and VPNs), but their command access permissions differ, as shown in Table 9.
Am
ong all the predefined user roles, only network-admin, and level-15 can perform the following
operations:
• Access the RBAC feature.
• Change the settings in user line view, including user-role, authentication-mode, protocol, and set
authentication password.
• Create, modify, and delete local users and local user groups. The other user roles can only modify
their own passwords if they have permissions to configure local users and local user groups.
Level-0 to level-14 users can modify their own permissions for any commands except for the display
history-command all command.
Table 9 Predefined roles and permissions matrix
User role name Permissions
network-admin
Accesses all features and resources in the system, except for the display
security-logfile summary, info-center security-logfile directory, and
security-logfile save commands.
network-operator
• Accesses the display commands for all features and resources in the
system, except for the display history-command all and display
security-logfile summary commands. To display all accessible
commands of the user role, use the display role name network-operator
command.
• Enables local authentication login users to change their own passwords.
• Accesses the command used for entering XML view.
• Accesses all read-type XML elements.
To Next Page
Loading...
Need help?
General
