No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Why telnet user with level 15 privilege cannot run some commands USG6600

Publication Date:  2015-09-25 Views:  63 Downloads:  0
Issue Description

In USG6600 ,We configured the telnet usr with level 15 privilege ,but it cannot run some commands, the configuration is like this :

manager-user admin                                                             

  password cipher  @&0Qu0qfV}D`C:G25HVA%>XOJ%@%@      

  service-type web terminal telnet                                              

  level 15                                                                      

  ftp-directory hda1:                                                                 

Solution

In USG6600 ,there is one feature regarding to system administrator rights control ,that is called "ROLE" ,and it can grant different rights to administrator users ,Grant the role the permission for configuration modules:

Operation

Command

Grant permission for the dashboard module.

dashboard { none | read-only | read-write }

Grant permission for the monitor module.

monitor [ feature-name &<117> ] { none | read-only | read-write }

Grant permission for the network module.

network [ feature-name &<1-13> ] { none | read-only | read-write }

Grant permission for the object module.

object [ feature-name &<1-21> ] { none | read-only | read-write }

Grant permission for the policy module.

policy [ feature-name &<1-8> ] { none | read-only | read-write }

Grant permission for the system module.

system [ feature-name &<1-11> ] { none | read-only | read-write }


by default ,the administrator user is not bound to any role ,according to the configuration ,we find that the user "admin "  is bound to a role ,and this role just has read-only rights in some modules.

 

role audit-admin                                                                

 description audit-admin                                                       

 dashboard read-only                                                            

 monitor                                                                        

  read-only log-traffic log-threat log-content log-url log-operation log-syslog 

log-user-activity log-policy-matching log-mail-filtering report traffic-map threat-map                                                                          

  none session statistic statistic-acl packet-capture                           

  read-write diagnose                                                           

 policy                                                                         

  none security nat traffic-policy auth-policy shield aspf proxy-policy quota-policy                                                                            

  read-write audit-policy                                                       

 object                                                                         

  none address service application user-manage time-range url-category keyword-g

roup signature av ips data-filter file-filter app-control mail-filter url-filter

 authen-server geo-location certificate mail-address-group healthcheck security-

group                                                                           

  read-write audit-config-file                                                  

 network read-only                                                                  

 system  read-only                                                              

 bind manager-user admin role audit-admin                                                     

 

when the administrator roles and levels to control administrator permissions are configured at the same time ,the administrator role is prior to the administrator level. If an administrator is bound to a role, the administrator level does not take effect, so for this issue , please create a role with full  rights to the device and bind it to the  “admin” user.

END