Table of Contents
Advertisement
By default, each command in a view has its specified level. For the details, refer to the related part of
Basic System Configuration in this manual. Command level falls into four levels: visit, monitor, system,
and manage, which are identified by 0 through 3. The administrator can assign a privilege level for a
user according to his need. When the user logs on a device, the commands available depend on the
user's privilege. For example, if a user's privilege is 3 and the command privilege of VTY 0 user
interface is 1, and the user logs on the system from VTY 0, he can use all the commands with privilege
smaller than three (inclusive).
Note that:
You are recommended to use the default command level or modify the command level under the
guidance of professional staff; otherwise, the change of command level may bring inconvenience
to your maintenance and operation, or even potential security problem.
When you configure the command-privilege command, the value of the command argument
must be a complete form of the specified command, that is, you must enter all needed keywords
and arguments of the command. The argument should be in the value range. For example, the
default level of the tftp server-address { get | put | sget } source-filename [ destination-filename ]
[ source { interface interface-type interface-number | ip source-ip-address } ] command is 3; after
the command-privilege level 0 view shell tftp 1.1.1.1 put a.cfg command is executed, when
users with the user privilege level of 0 log in to the device, they can execute the tftp
server-address put source-filename command (such as the tftp 192.168.1.26 put syslog.txt
command); users with the user privilege level of 0 cannot execute the command with the get, sget
or source keyword, and cannot specify the destination-filename argument.
When you configure the undo command-privilege view command, the value of the command
argument can be an abbreviated form of the specified command, that is, you only need to enter
the keywords at the beginning of the command. For example, after the undo command-privilege
view system ftp command is executed, all commands starting with the keyword ftp (such as ftp
server acl, ftp server enable, and ftp timeout) will be restored to the default level; if you have
modified the command level of commands ftp server enable and ftp timeout, and you want to
restore only the ftp server enable command to its default level, you should use the undo
command-privilege view system ftp server command.
If you modify the command level of a command in a specified view from the default command
level to a lower level, remember to modify the command levels of the quit command and the
corresponding command that is used to enter this view. For example, the default command level
of commands interface and system-view is 2 (system level); if you want to make the interface
command available to the users with the user privilege level of 1, you need to execute the
following
three
command-privilege
command-privilege level 1 view system quit, so that the login users with the user privilege level
of 1 can enter system view, execute the interface gigabitethernet command, and then return to
user view.
Examples
# Set the command level of the system-view command in user view to 3. (By default, users with the
user privilege level of 2 or 3 can use the system-view command after login; after the following
configuration, only users with the user privilege level of 3 can use this command to enter system view
and configure the device. Therefore, the device security is improved.)
<Sysname> system-view
[Sysname] command-privilege level 3 view shell system-view
commands:
command-privilege
level
1
view
3-7
level
1
system
interface
gigabitethernet
view
shell
system-view,
1/0/1,
and
Advertisement
Chapters
Table of Contents
