Table of Contents
Advertisement
Default
The default authorization methods of the ISP domain are used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The authorization server does not verify whether the entered
commands are permitted by the user role. The commands are executed successfully if the user role
has permission to the commands.
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an
authorization server to verify whether each entered command is permitted.
When local command authorization is configured, the device compares each entered command with
the user's configuration on the device. The command is executed only when it is permitted by the
user's authorized user roles.
The commands that can be executed are controlled by both the access permission of user roles and
command authorization of the authorization server. Access permission only controls whether the
authorized user roles have access to the entered commands, but it does not control whether the user
roles have obtained authorization to these commands. If a command is permitted by the access
permission but denied by command authorization, this command cannot be executed.
You can specify one primary command authorization method and multiple backup command
authorization methods.
When the default authorization method is invalid, the device attempts to use the backup
authorization methods in sequence. For example, the authorization command hwtacacs-scheme
hwtacacs-scheme-name local none command specifies the default HWTACACS authorization
method and two backup methods (local authorization and no authorization). The device performs
HWTACACS authorization by default and performs local authorization when the HWTACACS server
is invalid. The device does not perform command authorization when both of the previous methods
are invalid.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and
use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
command authorization (Fundamentals Command Reference)
19
Advertisement
Table of Contents
