Usage Scenario
The device provides hierarchical management of commands. A command has a privilege level, and a user can run only the commands at the same or lower privilege levels. By using the admin-user privilege level command to set the user privilege level, the device controls commands used by users.
By default, commands are classified into the following privilege levels:
- Level 0 (visit level): Commands at level 0 include diagnosis commands such as ping and tracert commands and commands that are used to access a remote device such as the Telnet client. Commands at level 0 cannot be used to save configuration files.
- Level 1 (monitoring level): Commands at level 1 are used for system maintenance, including display commands. Commands at level 1 cannot be used to save configuration files.
- Level 2 (configuration level): Commands at level 2 are used for service configuration, including routing commands and commands at each network layer to provide network services for users.
- Level 3 (management level): Commands at level 3 are used for basic operations of the system to support services, including file system, FTP, Trivial File Transfer Protocol (TFTP), configuration file switching commands, slave board control commands, user management commands, command level configuration commands, and debugging commands.
To manage users in a refined manner, upgrade command privilege levels to levels 0 to 15. You can run the command-privilege level command to upgrade command privilege levels in a batch. You can also run the command-privilege level rearrange command to increase privilege levels.
- If non-authentication is used, the administrator privilege level is specified using the user privilege command in the VTY interface view.
- If local authentication is used, the user privilege level of the administrator is the local user privilege level configured using the local-user privilege level command.
- If remote authentication is performed, the administrator privilege level can be set in the following ways, in descending order of priority:
- Using the user privilege level sent by an authentication server to the device after authentication has succeeded
- Running the admin-user privilege level command to set the administrator privilege level in a service scheme
- Running the user privilege command to set the user privilege level in VTY mode
- If both remote authentication and local authentication are configured and remote authentication is performed before local authentication, the administrator privilege level is that used in remote authentication. If local authentication is performed because the remote server does not respond, the administrator privilege level is the local user privilege level configured using the local-user privilege level command.
The device can update the configuration in a domain dynamically. After a service scheme is applied to a domain, you can directly modify the user privilege level in the service scheme but cannot unbind the service scheme from the domain. To delete the service scheme, run the undo service-scheme (AAA domain view) command.
Follow-up Procedure
Run the display service-scheme command to view the user privilege level in a service scheme.