HP 6125XLG R2306-HP 6125XLG Blade Switch Fundamentals Configuration Guide - Page 49
Configuring RBAC, Overview, Permission assignment, User role rules
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 49 highlights
Configuring RBAC Role based access control (RBAC) controls user access to commands and resources based on user role. This chapter describes the basic idea of RBAC and guides you through the RBAC configuration procedure. Overview On devices that support multiple users, RBAC is used to assign command and resource access permissions to user roles that are created for different job functions. Users are given permission to access a set of commands and resources based on their user roles. Because user roles are persistent, in contrast to users, separating permissions from users enables easy permission authorization management. When the job responsibilities of a user changes, new users are added, or old users are removed, you only need to change the user roles or assign new user roles. Permission assignment Assigning permissions to a user role includes the following: • Define a set of rules to specify commands accessible or inaccessible to the user role. (See "User role rules.") • Configure resource access policies to specify which interfaces, VLANs, and VPNs are accessible to the user role. (See "Resource access policies.") To use a command related to a specific interface, VLAN, or VPN, a user role must have access to both the command and the interface, VLAN, or VPN. For example, a user role has access to the qos apply policy command and access to only interface Ten-GigabitEthernet 1/1/5. With this user role, you can enter the interface view and use the qos apply policy command on the interface, but you cannot enter the view of any other interface or use the command on any other interface. If the user role has access to any interface but does not have access to the qos apply policy command, you cannot use the command on any interface. User role rules User role rules permit or deny access to commands. You can define the following types of rules for different access control granularities: • Command rule-Controls access to a command or a set of commands that match a regular expression. • Feature rule-Controls access to the commands of a feature by command type: { Read-Commands that display configuration and maintenance information. Examples include the display commands and the dir command. { Write-Commands that configure the feature in the system. Examples include the info-center enable command and the debugging command. { Execute-Commands that execute specific functions. Examples include the ping command and the ftp command. • Feature group rule-Controls access to commands of a group of features by command type. 42