Manualshelf

HP MSR2000/3000/4000 Router Series Fundamentals Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router
21222324252627282930
17
XML element rule—Controls access to XML elements used for configuring the device.
A user role can have multiple rules uniquely identified by rule numbers. The set of permitted commands
in these rules are accessible to the user role. If two rules conflict, the one with higher number takes effect.
For example, if rule 1 permits the ping command, rule 2 permits the tracert command, and rule 3 denies
the ping command, the user role can use the tracert command but not the ping command.
Resource access policies
Resource access policies control access of user roles to system resources and include the following types:
Interface policy—Controls access to interfaces.
VLAN policy—Controls access to VLANs.
VPN instance policy—Controls access to VPNs.
Resource access policies do not control access to the interface, VLAN, or VPN options in the display
commands. You can specify these options in the display commands if they are permitted by any user role
rule.
Predefined user roles
The system provides 19 predefined user roles. All these user roles have access to all system resources
(interfaces, VLANs, and VPNs), but their command access permissions (see Table 6) diff
er.
Among all the predefined user roles, only network-admin and level-15 can access the RBAC feature and
change the settings including user-role, authentication-mode, protocol, and set authentication
password in user line view.
Level-0 to level-14 users can modify their own permissions for any commands except for the display
history-command all command.
Table 6 Predefined roles and permissions matrix
User role name Permissions
network-admin
Accesses all features and resources in the system, except for the display
security-logfile summary, info-center security-logfile directory, and
security-logfile save commands.
network-operator
Accesses the display commands for all features and resources in the
system, except for the display history-command all and display
security-logfile summary commands. To display all accessible
commands of the user role, use the display role name network-operator
command.
Enables local authentication login users to change their own password.
Accesses the command used for entering XML view.
Accesses all read-type XML elements.