Manualshelf

R0106-HP MSR Router Series Fundamentals Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router
21222324252627282930
17
A user role can access the set of permitted commands and XML elements specified in the user role rules.
The user role rules include predefined (identified by sys-n) and user-defined user role rules. For more
information about the user role rule priority, see "Configuring user role rules."
Resource access policies
Resource access policies control access of user roles to system resources and include the following types:
Interface policy—Controls access to interfaces.
VLAN policy—Controls access to VLANs.
VPN instance policy—Controls access to VPNs.
Resource access policies do not control access to the interface, VLAN, or VPN options in the display
commands. You can specify these options in the display commands if the options are permitted by any
user role rule.
Predefined user roles
The system provides predefined user roles. These user roles have access to all system resources (interfaces,
VLANs, and VPNs). However, their access permissions differ, as shown in Table 6.
Am
ong all of the predefined user roles, only network-admin and level-15 can perform the following tasks:
Access the RBAC feature.
Change the settings in user line view, including user-role, authentication-mode, protocol inbound,
and set authentication password.
Create, modify, and delete local users and local user groups. The other user roles can only modify
their own password if they have permissions to configure local users and local user groups.
Level-0 to level-14 users can modify their own permissions for any commands except for the display
history-command all command.
Table 6 Predefined roles and permissions matrix
User role name Permissions
network-admin Accesses all features and resources in the system.
network-operator
Accesses the display commands for features and resources in the system.
To display all accessible commands of the user role, use the display role
name network-operator command.
Enables local authentication login users to change their own password.
Accesses the command used for entering XML view.
Accesses all read-type XML elements.