18
The commands, Web menus, XML elements, and MIB nodes are controlled based on the following
types:
•
Read
—Commands, Web menus, XML elements, or MIB nodes that display configuration and
maintenance information. For example, the
display
commands and the
dir
command.
•
Write
—Commands, Web menus, XML elements, or MIB nodes that configure the features in
the system. For example, the
info-center enable
command and the
debugging
command.
•
Execute
—Commands, Web menus, XML elements, or MIB nodes that execute specific
functions. For example, the
ping
command and the
ftp
command.
A user role can access the set of permitted commands, Web pages, XML elements, and MIB nodes
specified in the user role rules. The user role rules include predefined (identified by sys-
n
) and
user-defined user role rules. For more information about the user role rule priority, see "
Resource access policies
Resource access policies control access of a user role to system resources and include the following
types:
•
Interface policy
—Controls access to interfaces.
•
VLAN policy
—Controls access to VLANs.
•
VPN instance policy
—Controls access to VPN instances.
Resource access policies do not control access to the interface, VLAN, or VPN instance options in
the
display
commands. You can specify these options in the
display
commands if the options are
permitted by any user role rule.
Predefined user roles
The system provides predefined user roles. These user roles have access to all system resources
(interfaces, VLANs, and VPN instances). However, their access permissions differ, as shown in
Among all of the predefined user roles, only network-admin, mdc-admin, and level-15 can perform
the following tasks:
•
Access the RBAC feature.
•
Change the settings in user line view, including the
user-role
,
authentication-mode
,
protocol
inbound
, and
set authentication password
commands.
•
Create SNMP communities, users, and groups by using the
snmp-agent community
,
snmp-agent usm-user
, and
snmp-agent group
commands, respectively.
•
Create, modify, and delete local users and local user groups. The other user roles can only
modify their own passwords if they have permissions to configure local users and local user
groups.
All the predefined user roles are available for the default MDC. The network-admin and
network-operator user roles are not available for non-default MDCs. For more information about
MDCs, see
Virtual Technologies Configuration Guide
.
The access permissions of the level-0 to level-14 user roles can be modified through user role rules
and resource access policies. However, you cannot make changes on the predefined access
permissions of these user roles. For example, you cannot change the access permission of these
user roles to the
display history-command all
command.
Table 8 Predefined roles and permissions matrix
User role name
Permissions
network-admin
Accesses all features and resources in the system, except for the
display
security-logfile summary
,
info-center security-logfile directory
, and
security-logfile save
commands.
Summary of Contents for FlexNetwork 10500 Series
Page 139: ...130 Sysname display version ...