51
Assigning user roles
To control user access to the system, you must assign a minimum of one user role. Make sure a
minimum of one user role among the user roles assigned by the server exists on the device. User
role assignment procedure varies for remote AAA authentication users, local AAA authentication
users, and non-AAA authentication users (see "Assigning user roles"). For more information about
AAA authentication, see Security Configuration Guide.
Enabling the default user role feature
The default user role feature assigns the default user role to AAA-authenticated users if the AAA
server does not authorize any user roles to the users. These users are allowed to access the system
with the default user role.
You can specify any user role existing in the system as the default user role.
To enable the default user role feature for AAA authentication users:
1. Enter system view.
system-view
N/A
2.
role feature.
role default-role enable
[ role-name ]
By default, t
feature is disabled.
If the
none
used for local users, you must enable
the default user role feature.
Assigning user roles to remote AAA authentication users
For remote AAA authentication users, user roles are configured on the remote authentication server.
For information about configuring user roles for RADIUS users, see the RADIUS server
documentation. For HWTACACS users, the role configuration must use the roles="role-1 role-2 …
role-n" format, where user roles are space separated. For example, configure roles="level-0
level-1 level-2" to assign level-0, level-1, and level-2 to an HWTACACS user.
If the AAA server assigns the security-audit user role and other user roles to the same user, only the
security-audit user role takes effect.
To be compatible with privilege-based access control, the device automatically converts
privilege-based user levels (0 to 15) assigned by an AAA server to RBAC user roles (level-0 to
level-15).
If the AAA server assigns a privilege-
based user level and a user role to a user, the user can use
the collection of commands and resources accessible to both the user level and the user role.
Assigning user roles to local AAA authentication users
Configure user roles for local AAA authentication users in their local user accounts. Every local user
has a default user role. If this default user role is not suitable, delete the default user role.
If a local user is the only user with the security-audit user role, the user cannot be deleted.
The security-audit user role is mutually exclusive with other user roles.
To Next Page
Loading...
Need help?
General