Role-based Access Control (RBAC) is a method of restricting access to part of the configuration to authorized users. RBAC allows an administrator to define the rules for a group of users that restrict which commands users of that group are allowed to run.
RBAC is performed by first creating a group assigned to the Access Control Management (ACM) rule set, adding a user to the group, creating a rule set to match the group to the paths in the system, then configuring the system to allow or deny those paths that are applied to the group.
- Operator—Allowed to execute commands that are defined in the Vyatta CLI. Not allowed to into config mode.
- Administrator—Allowed to execute arbitrary Linux commands in addition to commands that are defined by the Vyatta CLI and to enter configuration mode.
- Superuser—Allowed to execute commands with root privileges through the sudo command in addition to having administrator class privileges.
By default, all users that are defined to be in the superuser or the administrator class belong to a common group called vyattacfg. This group allows a rule set to be defined that pertains to both the superuser and administrator classes without defining two group matches. The operator class users belong to the vyattaop group.
vRouter allows a superuser to create new groups based on your requirements. Ciena recommends creating a group with the highest level of privileges, called a security group. A superuser can set rules so that only members of the security group are allowed to modify the ACM and login information. This prevents administrators from inadvertently compromising the system image or the ACM list.