45
A user role can access the set of permitted commands, XML elements, and MIB nodes specified in
the user role rules. The user role rules include predefined (identified by sys-n) and user-defined user
role rules. For more information about the user role rule priority, see "Configuring user role rules."
Resource access policies
Resource access policies control access of user roles to system resources and include the following
types:
Interface policy—Controls access to interfaces.
VLAN policy—Controls access to VLANs.
VPN instance policy—Controls access to VPNs.
Resource access policies do not control access to the interface, VLAN, or VPN options in the
display commands. You can specify these options in the display commands if the options are
permitted by any user role rule.
Predefined user roles
The system provides predefined user roles. These user roles have access to all system resources
(interfaces, VLANs, and VPNs). However, their access permissions differ, as shown in Table 10.
Among all of the predefined user roles, only network-admin, and level-15 can perform the following
tasks:
Access the RBAC feature.
Change the settings in user line view, including user-role, authentication-mode, protocol
inbound, and set authentication password.
Create, modify, and delete local users and local user groups. The other user roles can only
modify their own password if they have permissions to configure local users and local user
groups.
Level-0 to level-14 users can modify their own permissions for any commands except for the display
history-command all command.
Table 10 Predefined roles and permissions matrix
network-admin
Accesses all features and resources in the system, except for the
display
security-logfile summary
,
info-center security-logfile directory
, and
security-logfile save
commands.
network-operator
• Accesses the display commands for features and resources in the
system.
To display all accessible commands of the user role, use the
display role command.
•
Enables local authentication login users to change their own
password.
• Accesses the command used for entering XML view.
• Accesses all read-type XML elements.
• Accesses all read-type MIB nodes.
level-n (n = 0 to 15)
• level-0—Has access to diagnostic commands, including ping, quit,
ssh2, super, system-view, telnet, and tracert. Level-0 access
rights are configurable.
• level-1—Has access to the display commands of all features and
resources in the system except display history-command all. The
level-1 user role also has all access rights of the level-0 user role.
Level-1 access rights are configurable.
• level-2 to level-8, and level-10 to level-14—Have no access rights
by default. Access rights are configurable.
• level-9—Has access to all features and resources except those in
the following list. If you are logged in with a local user account that
has a level-9 user role, you can change the password in the local
To Next Page
Loading...
Need help?
General