HP 10500 Series Configuration Manual page 61

A user role can access the set of permitted commands specified in its rules. The user role rules include
predefined (identified by sys-n) and user-defined user role rules.
If two user-defined rules of the same type conflict, the one with the higher ID takes effect. For
•
example, if rule 1 permits the ping command, rule 2 permits the tracert command, and rule 3
denies the ping command, the user role can use the tracert command but not the ping command.
If a predefined user role rule and a user-defined user role rule conflict, the user-defined user role rule
•
takes effect.
Resource access policies
Resource access policies control access of user roles to system resources and include the following types:
Interface policy—Controls access to interfaces.
•
VLAN policy—Controls access to VLANs.
•
VPN instance policy—Controls access to VPNs.
•
Resource access policies do not control access to the interface, VLAN, or VPN options in the display
commands. You can specify these options in the display commands if they are permitted by any user role
rule.
Predefined user roles
The system provides 21 predefined user roles. All these user roles have access to all system resources
(interfaces, VLANs, and VPNs), but their command access permissions differ, as shown in
Among all the predefined user roles, only network-admin, mdc-admin, and level- 1 5 can perform the
following operations:
Access the RBAC feature.
•
Change the settings including user-role, authentication-mode, protocol, and set authentication
•
password in user line view.
Create, modify, and delete local users and local user groups. The other user roles can only modify
•
their own password if they have permissions to configure local users and local user groups.
All the predefined user roles are available for the default MDC. The user roles network-admin and
network-operator are not available for non-default MDCs. For more information about MDCs, see
"Configuring
Level-0 to level- 1 4 users can modify their own permissions for any commands except for the display
history-command all command.
Table 9 Predefined roles and permissions matrix
User role name
network-admin
network-operator
MDCs."
Permissions
Accesses all features and resources in the system, except for the display
security-logfile summary, info-center security-logfile directory, and
security-logfile save commands.
•
•
•
Accesses the display commands for all features and resources in the
system, except for commands such as display history-command all and
display security-logfile summary. To display all accessible commands
of the user role, use the display role name network-operator command.
Changes between MDC views.
Enables local authentication login users to change their own password.
53
Table 9.