44
Configuring RBAC
Overview
Role-based access control (RBAC) controls user access to items and system resources based on
user roles. In this chapter, items include commands, XML elements, and MIB nodes, and system
resources include interfaces, VLANs, and VPN instances.
RBAC assigns access permissions to user roles that are created for different job functions. Users are
given permission to access a set of items and resources based on the users' user roles. Because
user roles are static in contrast to users, separating permissions from users enables simple
permission authorization management. You only need to change the user role permissions, remove
user roles, or assign new user roles in case of user changes. For example, you can change the user
role permissions or assign new user roles to change the job responsibilities of a user.
Permission assignment
Use the following methods to assign permissions to a user role:
Define a set of rules to determine accessible or inaccessible items for the user role. (See "User
role rules.")
Configure resource access policies to specify which interfaces, VLANs, and VPNs are
accessible to the user role. (See "
Resource access policies.")
To use a command related to a resource (an interface, VLAN, or VPN), a user role must have access
to both the command and the resource.
For example, a user role has access to the qos apply policy command and access only to interface
GigabitEthernet 1/0/1. With this user role, you can enter the interface view and use the qos apply
policy command on the interface. However, you cannot enter the view of any other interface or use
the command on any other interface. If the user role has access to any interface but does not have
access to the qos apply policy command, you cannot use the command on any interface.
User role rules
User role rules permit or deny access to commands, XML elements, or MIB nodes. You can define
the following types of rules for different access control granularities:
Command rule—Controls access to a command or a set of commands that match a regular
expression.
Feature rule—Controls access to the commands of a feature by command type.
Feature group rule—Controls access to commands of a group of features by command type.
XML element rule—Controls access to XML elements used for configuring the device.
OID rule—Controls SNMP access to a MIB node and its child nodes. An OID is a dotted
numeric string that uniquely identifies the path from the root node to a leaf node.
The commands, XML elements, and MIB nodes are controlled based on the following types:
Read—Commands, XML elements, or MIB nodes that display configuration and maintenance
information. For example, the display commands and the dir command.
Write—Commands, XML elements, or MIB nodes that configure the features in the system. For
example, the info-center enable command and the debugging command.
Execute—Commands, XML elements, or MIB nodes that execute specific functions. For
example, the ping command and the ftp command.
To Next Page
Loading...
Need help?
General