Configuring Rbac; Overview; Permission Assignment - HPE FlexFabric 5940 Series Configuration Manual
Fundamentals configuration guide
Hide thumbs
Also See for FlexFabric 5940 Series:
- Security configuration manual (571 pages) ,
- Configuration manual (334 pages) ,
- Fundamentals command reference (289 pages)
Table of Contents
Advertisement
Configuring RBAC
Overview
Role-based access control (RBAC) controls user access to items and system resources based on
user roles. In this chapter, items include commands, XML elements, and MIB nodes, and system
resources include interfaces, VLANs, and VPN instances.
RBAC assigns access permissions to user roles that are created for different job functions. Users are
given permission to access a set of items and resources based on the users' user roles. Because
user roles are static in contrast to users, separating permissions from users enables simple
permission authorization management. You only need to change the user role permissions, remove
user roles, or assign new user roles in case of user changes. For example, you can change the user
role permissions or assign new user roles to change the job responsibilities of a user.
Permission assignment
Use the following methods to assign permissions to a user role:
•
Define a set of rules to determine accessible or inaccessible items for the user role. (See
role
rules.")
•
Configure resource access policies to specify which resources are accessible to the user role.
(See
"Resource access
To use a command related to a system resource, a user role must have access to both the command
and the resource.
For example, a user role has access to the vlan command and access only to VLAN 10. When the
user role is assigned, you can use the vlan command to create VLAN 10 and enter its view. However,
you cannot create any other VLANs. If the user role has access to VLAN 10 but does not have
access to the vlan command, you cannot use the command to enter the view of VLAN 10.
When a user logs in to the device with any user role and enters <?> in a view, help information is
displayed for the system-defined command aliases in the view. However, the user might not have the
permission to access the command aliases. Whether the user can access the command aliases
depends on the user role's permission to the commands corresponding to the aliases. For
information about command aliases, see
A user that logs in to the device with any user role has access to the system-view, quit, and exit
commands.
User role rules
User role rules permit or deny access to commands, XML elements, or MIB nodes. You can define
the following types of rules for different access control granularities:
•
Command rule—Controls access to a command or a set of commands that match a regular
expression.
•
Feature rule—Controls access to the commands of a feature by command type.
•
Feature group rule—Controls access to the commands of features in a feature group by
command type.
•
XML element rule—Controls access to XML elements used for configuring the device.
•
OID rule—Controls SNMP access to a MIB node and its child nodes. An OID is a dotted
numeric string that uniquely identifies the path from the root node to a leaf node.
The commands, XML elements, and MIB nodes are controlled based on the following types:
policies.")
"Using the
17
CLI."
"User
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
