No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Command-Line Authorization

Configuring Command-Line Authorization

Command-line authorization determines whether the user has the right to run a command. Command-line authorization is classified into level authorization and task authorization.

Usage Scenario

Command-line authorization is used to implement the management and authorization for the command-line rights of users.

NOTE:
The priority of level authorization is higher than that of task authorization, that is, if both the level authorization and task authorization are configured on a local user, the level authorization takes effect.

Pre-configuration Tasks

Before configuring command-line authorization, configure link layer protocol parameters and IP addresses for interfaces to ensure that link layer protocols on each interface are Up.

Configuration Procedures

Perform one or more of the following configurations as required.

Configuring Level Authorization

Configuring level authorization involves configuring the level authorization mode, adjusting the level of the user or command line, and configuring the user level promotion authentication mode.

Context

Configuring level authorization involves the following configurations:

Procedure

  • Configure the level authorization mode.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      The authorization scheme view is displayed.

    4. Run authorization-cmd privilege-level { local | hwtacacs } *

      The level authorization mode is configured.

    5. Run commit

      The configuration is committed.

  • Adjust the level of the command line.

    For how to adjust the command line level, see Configuring Command Levels.

Configuring Task Authorization

Compared with level authorization, task authorization supports the customization of the user group and task group according to the application scenario. Therefore, task authorization provides a more flexible right control granularity.

Context

Configuring task authorization involves the following configurations:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run authorization-scheme authorization-scheme-name

    The authorization scheme view is displayed.

  4. Run authorization-cmd { local | hwtacacs } *

    The level authorization mode is configured.

  5. Run quit

    The AAA view is displayed.

  6. Run task-group task-group-name

    The task group is created, and the task group view is displayed.

  7. Run task task-name { read | write | execute | debug } *

    The specified task is added to the task group.

    By default, users have permission for specific tasks after a task group is created.
    Table 2-1 Authorizations and tasks by default

    Task

    Authorization

    Description

    interface-mgr

    read, write, and execute

    Users with this permission can perform interface configurations.

    config

    read, write, and execute

    Users with this permission can enter the system view to perform configurations.

    vlan

    read, write, and execute

    Users with this permission can perform VLAN configurations.

    shell

    read, write, and execute

    Users with this permission can gain access to devices, for example, by using Telnet or quit commands.

    cli

    read and execute

    Users with this permission can perform basic configurations, such as using display commands.

  8. (Optional) Run rule command rule-name permit view view-name expression command-string

    The operation is allowed to be implemented on a specific command.

    This command applies to a single command. Compared with the task command, this command is more granular and can be used for a single command or a batch of commands with the same prefix.

    In the same task group, the priority of the rule command command is higher than that of the task command. When the rule command command configuration conflicts with the task command configuration, the rule command command configuration takes effect preferentially.

  9. (Optional) Run include task-group task-group-name

    A specific task group is added to the current task group.

    To allow the authority of the current task group to contain the authority of another task group or the current task group to inherit the authority of an existing task group, run the include task-group command.

    If the authority of the contained task group changes, the authority of the current task group will change.

  10. Run quit

    The AAA view is displayed.

  11. Run user-group user-group-name

    The user group is created, and the user group view is displayed.

  12. Run task-group task-group-name

    The specified task group is added to the current user group.

  13. (Optional) Run include user-group user-group-name

    A specific user group is added to the current user group.

    To allow the authority of the current user group to contain the authority of another user group or the current user group to inherit the authority of an existing user group, run the include user-group command.

    The authority of a user group is determined by that of the user group it contains. If the authority of the contained user group changes, the authority of the current user group will change.

  14. (Optional) Run rule command rule-name { permit | deny } view view-name expression command-string

    The operation is allowed to be implemented on a specific command.

    This command applies to a single command.

    The priorities of rules are displayed in descending order of rules configured in the user group view (including the rules inherited from other user groups using the include user-group command), rules configured in the task group view (rule command), and tasks configured in the task group (task).

    If the rules configured in a user group conflict with the rules inherited from other user groups using the include user-group command, the rules configured in the user group take effect preferentially.

  15. Run quit

    The AAA view is displayed.

  16. Run local-user user-name password [ cipher password | irreversible-cipher irreversible-cipher-password ]

    A local user is created, and the password of the user is configured.

    NOTE:

    The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters.

  17. Run local-user user-name user-group user-group-name

    The local user is added to the specified user group.

  18. Run commit

    The configuration is committed.

Verifying the Command-line Authorization Configuration

After command-line authorization is configured, you can view the information about the task group and the user group.

Prerequisites

Related configurations of command-line authorization are complete.

Procedure

  • Run display task-group [ task-group-name ]

    Related information about the task group is displayed.

  • Run display aaa user-group [ user-group-name ]

    Related information about the user group is displayed.

Example

Run the display task-group command to view the summary of all task groups.

<HUAWEI> display task-group
------------------------------------------------------
Task-group-name                          Task-group-id
------------------------------------------------------
manage-tg                                            1
system-tg                                            2
monitor-tg                                           3
visit-tg                                             4
------------------------------------------------------
Total 4, 4 printed

Run the display aaa user-group command to view the summary of all user groups.

<HUAWEI> display aaa user-group
------------------------------------------------------
User-group-name                          User-group-id
------------------------------------------------------
manage-ug                                            1
system-ug                                            2
monitor-ug                                           3
visit-ug                                             4
------------------------------------------------------
Total 4, 4 printed
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 22073

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next