authorization-cmd
Function
The authorization-cmd command configures command-specific authorization for an administrator of a specific level. After command-specific authorization is enabled and an administrator of a specific level logs in to the device, the commands that the administrator enters can be executed only after being authorized by the HWTACACS server.
The undo authorization-cmd command disables command-specific authorization for an administrator of a specific level.
By default, the command-specific authorization is disabled. That is, an administrator of any level can execute only commands of or below its level after logging in to the device.
Format
authorization-cmd privilege-level hwtacacs [ local ] [ none ]
undo authorization-cmd privilege-level
Parameters
| Parameter | Description | Value |
|---|---|---|
| privilege-level | Specified the administrator level. | The value is an integer that ranges from 0 to 15. |
| hwtacacs | Indicates HWTACACS authorization. | - |
| local | Indicates local authorization. | - |
| none | Indicates that command line authorization is directly performed for a user if the HWTACACS server does not respond to the authorization request of the user. |
- |
Usage Guidelines
Usage Scenario
After being authorized, the users at a certain level can run the commands of the same or lower levels. Command line authorization can be configured to implement minimum user rights control. When command line authorization is enabled, each command entered by users can be executed only after being authorized. After command line authorization is enabled for users at a certain level, the commands run by the users at that level must be authorized by an HWTACACS server.
Precautions
You are advised to configure local authorization as a backup of command line authorization. If command line authorization cannot be performed because of a failure on an HWTACACS server, the device starts local authorization.
After the authorization-cmd command is executed, command line authorization does not take effect immediately. Command line authorization takes effect only when an authorization scheme containing command line authorization is applied to administrator view correctly.
After an authorization scheme containing command line authorization is applied to administrator view, if you run the undo authorization-cmd command, an online administrator at a certain level cannot run any commands except for the quit command. The administrator needs to log in again.