Configuring Rbac; Overview; Permission Assignment - HP 10500 Series Configuration Manual

Configuring RBAC

Overview

Role-based access control (RBAC) controls user access to items and system resources based on user roles.
In this chapter, items include commands, XML elements, and MIB nodes, and system resources include
interfaces, VLANs, and VPN instances.
RBAC assigns access permissions to user roles that are created for different job functions. Users are given
permission to access a set of items and resources based on the users' user roles. Because user roles are
persistent, in contrast to users, separating permissions from users enables easy permission authorization
management. When the job responsibilities of a user changes, new users are added, or old users are
removed, you only need to change the user roles or assign new user roles.

Permission assignment

Use the following methods to assign permissions to a user role:
• Define a set of rules to determine accessible or inaccessible items for the user role. (See
rules.")
Configure resource access policies to specify which interfaces, VLANs, and VPN instances are
•
accessible to the user role. (See
To use a command related to a resource (an interface, VLAN, or VPN instance), a user role must have
access to both the command and the resource.
For example, a user role has access to the qos apply policy command and access only to interface
GigabitEthernet 1/0/1. With this user role, you can enter the interface view and use the qos apply policy
command on the interface. However, you cannot enter the view of any other interface or use the
command on any other interface. If the user role has access to any interface but does not have access to
the qos apply policy command, you cannot use the command on any interface.
User role rules
User role rules permit or deny access to commands, XML elements, or MIB nodes. You can define the
following types of rules for different access control granularities:
Command rule—Controls access to a command or a set of commands that match a regular
•
expression.
• Feature rule—Controls access to the commands of a feature by command type.
Feature group rule—Controls access to the commands of features in a feature group by command
•
type.
XML element rule—Controls access to XML elements used for configuring the device.
•
OID rule—Controls SNMP access to a MIB node and its child nodes. An OID is a dotted numeric
•
string that uniquely identifies the path from the root node to a leaf node.
The commands, XML elements, and MIB nodes are controlled based on the following types:
Read—Commands, XML elements, or MIB nodes that display configuration and maintenance
•
information. For example, the display commands and the dir command.
"Resource access policies.")
15
"User role