HP 6125XLG R2306-HP 6125XLG Blade Switch Fundamentals Configuration Guide - Page 50
Resource access policies, Predefined user roles
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 50 highlights
A user role can have multiple rules uniquely identified by rule numbers. The set of permitted commands in these rules are accessible to the user role. If two rules conflict, the one with higher number takes effect. For example, if rule 1 permits the ping command, rule 2 permits the tracert command, and rule 3 denies the ping command, the user role can use the tracert command but not the ping command. Resource access policies Resource access policies control access of user roles to system resources and include the following types: • Interface policy-Controls access to interfaces. • VLAN policy-Controls access to VLANs. • VPN instance policy-Controls access to VPNs. Resource access policies do not control access to the interface, VLAN, or VPN options in the display commands. You can specify these options in the display commands if they are permitted by any user role rule. Predefined user roles The system provides 19 predefined user roles. All these user roles have access to all system resources (interfaces, VLANs, and VPNs), but their command access permissions (see Table 9) differ. Among all the predefined user roles, only network-admin and level-15 can perform the following operations: • Access the RBAC feature. • Change the settings including user-role, authentication-mode, protocol, and set authentication password in user interface view. • Create, modify, and delete local users and local user groups. (The other user roles can only modify their own passwords if they have permissions to configure local users and local user groups.) Level-0 to level-14 users can modify their own permissions for any commands except for the display history-command all command. Table 10 Predefined roles and permissions matrix User role name network-admin network-operator Permissions Accesses all features and resources in the system, except for the display security-logfile summary, info-center security-logfile directory, and security-logfile save commands. Accesses the display commands for all features and resources in the system, except for the display history-command all, display security-logfile summary, info-center security-logfile directory, and security-logfile save commands. To display all accessible commands of the user role, use the display role name network-operator command. 43