Authorization Default - HP FlexNetwork MSR Series Command Reference Manual
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (392 pages) ,
- Configuration manuals (159 pages)
Advertisement
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an
authorization server to verify whether or not each entered command is permitted.
When local command authorization is configured, the device compares each entered command with
the user's configuration on the device. The command is executed only when it is permitted by the
user's authorized user role.
The commands that can be executed are controlled by both the access permission of user roles and
command authorization of the authorization server. Access permission only controls whether the
authorized user roles have access to the entered commands, but it does not control whether the user
roles have obtained authorization to these commands. If a command is permitted by the access
permission but denied by command authorization, this command cannot be executed.
You can specify one primary command authorization method and multiple backup command
authorization methods.
When the default authorization method is invalid, the device attempts to use the backup
authorization methods in sequence. For example, the authorization command hwtacacs-scheme
hwtacacs-scheme-name local none command specifies the default HWTACACS authorization
method and two backup methods (local authorization and no authorization). The device performs
HWTACACS authorization by default and performs local authorization when the HWTACACS server
is invalid. The device does not perform command authorization when both of the previous methods
are invalid.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and
use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
authorization accounting (Fundamentals Command Reference)
hwtacacs scheme
local-user
authorization default
Use authorization default to specify the default authorization method for an ISP domain.
Use undo authorization default to restore the default.
Syntax
In non-FIPS mode:
authorization
radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme
radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization default
In FIPS mode:
default
{
hwtacacs-scheme
hwtacacs-scheme-name
27
[
radius-scheme
Advertisement
