How to exclude some command for user level

Created: Aug 1, 2018 13:08:29Latest reply: Nov 6, 2018 00:00:29 668 8 0 0
  Rewarded Hi-coins: 0 (problem resolved)
Hi

I want to create a user that can reboot the device but he can't add or modify user level. in the other word i want to ceate a user in level 3 and exclude some command for him.

Thank a lot
Ramin
  • x
  • convention:

StarOfWest  Visitor   Created Aug 8, 2018 19:45:54 Helpful(0) Helpful(0)

  • x
  • convention:

“We only get answers to the questions that we ask.” physicist Werner Heisenberg
zChan     Created Aug 1, 2018 13:47:36 Helpful(0) Helpful(0)

This post was last edited by zChan at 2018-08-01 13:49.

 Hi Ramin, you can create a user with lower level but add the specific commands for it. It can be realize with below command.


command-privilege level

Function

The command-privilege level command sets a command level in a specified view.

The undo command-privilege command restores the default level.

By default, each command in each view has a default command level.

Format

command-privilege level level view view-name command-key

undo command-privilege [ level level ] view view-name command-key

Parameters

Parameter Description Value
level level Specifies a command level.

The value is an integer that ranges from 0 to 15.

view view-name

Specifies a view name. You can enter a question mark (?) in the terminal GUI to obtain all view names in the command view.

For example:
  • shell: user view
  • system: system view
  • vlan: VLAN view
-
command-key

Specifies a command. The command must be entered manually because automatic command line completion is not supported.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The system divides commands into levels for management. Each command in views has a specified level. The device administrator can change a command level as required so that a lower-level user can use certain high-level commands. The device administrator can also increase the command level to a larger value to improve device security.

Precautions

The rules for using this command to set the command level of a specified view are as follows:

  • When you degrade the target command, all keywords in the command are degraded.
  • When you upgrade the target command, only the last keyword in the command is upgraded.
  • When you set a level for the target command, the levels of all commands (in the same view) starting with this command are changed.
  • When you set a level for the target command, the keyword level in other commands having the same index as the keyword whose level is changed is also changed.
  • If the level of keywords that have the same index is modified for multiple times, the latest configured level takes effect.

Do not change the default command level. If you need to change it, consult with professional personnel to ensure that routine operation and maintenance are not affected and security risks are avoided.

Example

# Set the privilege level of the save command to 5.
<HUAWEI> system-view
[HUAWEI] command-privilege level 5 view shell save
  • x
  • convention:

Ramin     Created Aug 1, 2018 14:20:09 Helpful(0) Helpful(0)

Hi zChan
Tanks l lot for your guidance, it's useful. But i have a another question can i apply command to specific user not apply on level.
For example in level 2 i have 10 user i want to add the specific commands for one user.,
Tanks a lot
Ramin
  • x
  • convention:

zChan     Created Aug 1, 2018 14:45:40 Helpful(0) Helpful(0)

Hi Ramin,

I am afraid that's not possible.



  • x
  • convention:

Nazdak     Created Aug 2, 2018 00:00:29 Helpful(0) Helpful(0)


<Device> system-view
[Device] dsa local-key-pair create //Set the length of the key pair to 2048.
[Device] user-interface maximum-vty 15 //Set the maximum number of VTY user interfaces to 15.
[Device] user-interface vty 0 14
[Device-ui-vty0-14] authentication-mode aaa
[Device-ui-vty0-14] protocol inbound ssh
[Device-ui-vty0-14] quit
[Device] aaa
[Device-aaa] local-user sshuser password irreversible-cipher Changeme123 //Set the user name to sshuser, which must be the same as User name on eSight. Set the password to Changeme123, which must be the same as Password on eSight.
[Device-aaa] local-user sshuser service-type ssh
[Device-aaa] local-user sshuser privilege level 15 //Set the STelnet permission of the user to the highest level 15. You are advised to set the STelnet permission based on actual needs.
[Device-aaa] quit
[Device] ssh user sshuser authentication-type password
[Device] stelnet server enable
[Device] ssh user sshuser service-type stelnet
[Device] quit
<Device> save
  • x
  • convention:

Fernandoizsa  Visitor   Created Aug 27, 2018 22:19:34 Helpful(0) Helpful(0)

i suggest follow the next example configuration:

aaa
local-user admintest password irreversible-cipher $1c$DUBDU/-M<.$6CJ.0WXVN&|cCTJ/T'SBG"v*~f90aELV%DN#C!/.$
local-user admintest service-type terminal telnet ssh
local-user admintest level 3

  • x
  • convention:

Nazdak     Created Nov 6, 2018 00:00:12 Helpful(0) Helpful(0)

You can not add or modify a user, it is because the privileges or levels of your account are low. I recommend you enter with a level 15 user so you can make changes.
  • x
  • convention:

Nazdak     Created Nov 6, 2018 00:00:29 Helpful(0) Helpful(0)

You can not add or modify a user, it is because the privileges or levels of your account are low. I recommend you enter with a level 15 user so you can make changes.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top