17
Configuring RBAC
Overview
Role-based access control (RBAC) controls user access to items and system resources based on
user roles. In this chapter, items include commands, Web pages, XML elements, and MIB nodes,
and system resources include interfaces, VLANs, and VPN instances.
RBAC assigns access permissions to user roles that are created for different job functions. Users are
given permission to access a set of items and resources based on the users' user roles. Because
user roles are static in contrast to users, separating permissions from users enables simple
permission authorization management. You only need to change the user role permissions, remove
user roles, or assign new user roles in case of user changes. For example, you can change the user
role permissions or assign new user roles to change the job responsibilities of a user.
Permission assignment
Use the following methods to assign permissions to a user role:
•
Define a set of rules to determine accessible or inaccessible items for the user role. (See "
.")
•
Configure resource access policies to specify which resources are accessible to the user role.
(See "
.")
To use a command related to a system resource, a user role must have access to both the command
and the resource.
For example, a user role has access to the
vlan
command and access only to VLAN 10. When the
user role is assigned, you can use the
vlan
command to create VLAN 10 and enter its view. However,
you cannot create any other VLANs. If the user role has access to VLAN 10 but does not have
access to the
vlan
command, you cannot use the command to enter the view of VLAN 10.
When a user logs in to the device with any user role and enters
<?>
in a view, help information is
displayed for the system-defined command aliases in the view. However, the user might not have the
permission to access the command aliases. Whether the user can access the command aliases
depends on the user role's permission to the commands corresponding to the aliases. For
information about command aliases, see "
A user that logs in to the device with any user role has access to the
system-view
,
quit
, and
exit
commands.
User role rules
User role rules permit or deny access to commands, Web pages, XML elements, or MIB nodes. You
can define the following types of rules for different access control granularities:
•
Command rule
—Controls access to a command or a set of commands that match a regular
expression.
•
Feature rule
—Controls access to the commands of a feature by command type.
•
Feature group rule
—Controls access to the commands of features in a feature group by
command type.
•
Web menu rule
—Controls access to Web pages used for configuring the device. These Web
pages are called Web menus.
•
XML element rule
—Controls access to XML elements used for configuring the device.
•
OID rule
—Controls SNMP access to a MIB node and its child nodes. An OID is a dotted
numeric string that uniquely identifies the path from the root node to a leaf node.
Summary of Contents for FlexNetwork 10500 Series
Page 139: ...130 Sysname display version ...