Relationship between user permissions and command levels on AR routers

106

The system grants different users access permissions and different command levels so that the AR router can limit the access permissions and operations of users. User levels correspond to command levels. Users can use only the commands at the same or lower level than their own levels. By default, there are four command levels 0 to 3 and 16 user levels 0 to 15. The table shows the relationship between command levels and user levels.

Other related questions:
How to set the command level in the specified view
The procedure for setting the command level in the specified view is as follows: Command format: command-privilege level < level > view < view-name > < command-key > To adjust the command level, see the following examples: Example 1: Set the level of the save command to 5. [Huawei] command-privilege level 5 view user save Example 2: Adjust the permission of the configuration file to a lower-level command. [Huawei]command-privilege level 2 view system display current-configuration The system grants different command levels. Each command in each view has a specified level. The administrator can change the command level based on user requirements to enable a lower-level user to use some high-level commands, or raise the command level to improve device security. It is recommended that the default command level be not changed without permission.

Description of user levels on AR routers
User levels on AR routers are as follows: You can configure different user levels to control access rights of different users and improve device security. There are 16 user levels numbered from 0 to 15, in ascending order of priority. Visit level-0: It is used for network diagnosis, access to the external device, such as ping, tracert, and Telnet. Monitoring level-1: It is used for system maintenance, including display commands and other commands. Some display commands are unavailable at this level. For example, the display current-configuration and display saved-configuration commands are level-3 management commands. Configuration level-2: Service configuration commands. Management level-3 to 15: They are used to control basic system operations, including system file, FTP/TFTP download, user management, command level setting, and debugging commands. User levels correspond to the command levels. Users can use only the commands at the same or lower level than their own levels. By default, users logging in from the console port can run level 15 commands. By default, the user level of other login modes is 0 (visit level), that is, after the user logs in to a device, the user can only run the commands at level 0, including ping, tracert, and other commands for network diagnosis.

How to configure a user level on an AR router
Methods of configuring user levels vary with specific scenarios (command lines):
- Configure a user level for a user.
[Huawei] aaa
[Huawei-aaa] local-user user1 privilege level 15  //Set the user level of user 1 to 15.  
-  Configure a user level for all users under a domain.
[Huawei] aaa
[Huawei-aaa] service-scheme sch1
[Huawei-aaa-service-sch1] admin-user privilege level 15  //Set the user level of all users under a domain to 15.  
-  Configure a user level for all users who log in through a page (take the VTY view as an example).
[Huawei] user-interface maximum-vty 15
[Huawei] user-interface vty 0 14
[Huawei-ui-vty0-14] user privilege level 15  //Set the user level in the VTY 0 to VTY 14 views to 15.
The preceding command is used to modify a user level as well. This command overwrites preceding operation results. Therefore, if this command is run multiple times, the last-time operation prevails.
If the user level configured on a page conflicts with the corresponding operation permission of a user, the operation permission prevails.

Configure a user level in web mode.
1.  Choose User Management > User Management.
2.  Click an icon of a desired local user from the user list.
3.  Enter corresponding content.
  a.  The super administrator enters Access level in order to modify the access level of other users.
  b.  To change Access level from the common user to the administrator (common administrator, enterprise administrator, or super administrator), enter New password and confirm Confirm password.

Which commands determine the user level
If the authentication mode of the user is non-authentication, the user level is specified by the user privilege command in VTY mode.

How many user levels does an AR router support
An AR router supports user levels 0-15. The value 0 indicates the visit level, value 1 indicates the user level, value 2 indicates the configuration level, values 3 to 15 indicate the management level.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top