Examples for Configuring User Group Authorization
On the actual network, user group authorization enables the user group network in the huawei domain to manage the routing module and the user group service to manage the service module.
Networking Requirements
As shown in Figure 1, two administrators (Admin A and Admin B) simultaneously manage the device. To normalize the operations, Admin A is required to manage the route module, and Admin B is required to manage the MPLS module. In addition, Admin A and Admin B have no right to operate the other module.
Precautions
When configuring user group authorization, note the following points:
Admin A and Admin B must belong to different user groups.
The user groups to which Admin A and Admin B belong cannot overlap on route and MPLS rights.
Configuration Roadmap
Configure user group authorization as follows:
Configure the task group and add tasks of the corresponding module.
Configure the user group and add the corresponding task groups.
Configure the user and specify the user group of the user.
Data Preparation
To complete the configuration, you need the following data:
Task group name
User group name
Domain name
Procedure
- Configure task groups.
# Configure the task group of the routing module.
<Device> system-view [~Device] aaa [~Device-aaa] task-group route [*Device-aaa-task-group-route] task ospf read write [*Device-aaa-task-group-route] task isis read write [*Device-aaa-task-group-route] task bgp read write [*Device-aaa-task-group-route] commit [~Device-aaa-task-group-route] quit
# Configure the task group of the MPLS module.
[~Device-aaa] task-group mpls [*Device-aaa-task-group-mpls] task mpls-base read write [*Device-aaa-task-group-mpls] task mpls-ldp read write [*Device-aaa-task-group-mpls] task mpls-te read write [*Device-aaa-task-group-mpls] commit [~Device-aaa-task-group-mpls] quit
- Configure user groups.
# Configure the user group groupA.
[~Device-aaa] user-group groupA [*Device-aaa-user-group-groupa] task-group route [*Device-aaa-user-group-groupa] commit [~Device-aaa-user-group-groupa] quit
# Configure the user group groupB.
[~Device-aaa] user-group groupB [*Device-aaa-user-group-groupb] task-group mpls [*Device-aaa-user-group-groupb] commit [~Device-aaa-user-group-groupb] quit
- Configure users.
Configure adminA.
[~Device-aaa] local-user adminA password cipher Huawei-123 [*Device-aaa] local-user adminA user-group groupA [*Device-aaa] commit
Configure adminB.
[~Device-aaa] local-user adminB password cipher Huawei-456 [*Device-aaa] local-user adminB user-group groupB [*Device-aaa] commit
- Verify the configuration.
After the preceding configurations are complete, run the display task-group [ task-group-name ] to check the user group information.
<Device> display task-group route ----------------------------------------------------------- Task group name : route ----------------------------------------------------------- Task authorization ----------------------------------------------------------- TaskName Authorization ----------------------------------------------------------- ospf read write bgp read write interface-mgr read write execute config read write execute vlan read write execute isis read write shell read write execute cli read execute ----------------------------------------------------------- Total 8, 8 printed
Configuration Files
# diffserv domain default # admin # user-interface con 0 # aaa # authentication-scheme default # authorization-scheme default # accounting-scheme default # task-group route task ospf read write task bgp read write task isis read write # task-group mpls task mpls-base read write task mpls-ldp read write task mpls-te read write # user-group groupa task-group route # user-group groupb task-group mpls # domain default local-user admina password cipher %^%#pPgn;|W90$J72.Ak$Y,IQ:gqIfPBTLjqW%,N`M_~%^%# local-user admina user-group groupa local-user adminb password cipher %^%#pPgn4@^7&QB*OY_,UMTLjqW%D0PV(YTLjqW%O1!!%^%# local-user adminb user-group groupb # task defaultTask1 # task defaultTask2 return