Use this command to configure access control profiles for administrators.
If you have configured RADIUS queries for authenticating administrators, you can override the locally-selected access profile by using a RADIUS VSA. For details, see system admin.
Access profiles determine administrator accounts’ permissions.
When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the
show CLI command for that feature, but cannot make changes to the configuration. There are no Create or Apply buttons, or
config CLI commands. Lists display only the View icon instead of icons for Edit, Delete or other modification commands. Write access is required for modification of any kind.
In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as user account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).
prof_admin access profile, a special access profile assigned to the
admin administrator account and required by it, does not appear in the list of access profiles. It exists by default and cannot be changed or deleted, and consists of essentially UNIX
If you create more administrator accounts, whether to harden security or simply to prevent accidental modification, create other access profiles with the minimal degrees and areas of access that each role requires. Then assign each administrator account the appropriate role-based access profile.
For example, for a person whose only role is to audit the log messages, you might make an access profile named
auditor that only has Read permissions to the Log & Report area.
For information on how each access control area correlates to which CLI commands that administrators can access, see Permissions
To use this command, your administrator account’s access control profile must have both
w permissions to items in the
config system accprofile
This example configures an administrator access profile named
full_access, which permits both read and write access to all special operations and parts of the configuration.
|Even though this access profile configures full access, administrator accounts using this access profile will not be fully equivalent to the
admin administrator. The
admin administrator has some special privileges that are inherent in that account and cannot be granted through an access profile, such as the ability to reset other administrators’ passwords without knowing their current password. Other accounts should therefore not be considered a substitute, even if they are granted full access.
config system accprofile
set admingrp rw
set authusergrp rw
set loggrp rw
set mlgrp rw
set mntgrp rw
set netgrp rw
set sysgrp rw
set traroutegrp rw
set wadgrp rw
set webgrp rw
set wvsgrp rw