authorization command
Use authorization command to specify command authorization methods.
Use undo authorization command to restore the default.
Syntax
In non-FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }
undo authorization command
In FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }
undo authorization command
Default
The default authorization methods of the ISP domain are used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether each entered command is permitted.
When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user roles.
The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.
You can specify one primary command authorization method and multiple backup command authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
command authorization (Fundamentals Command Reference)
hwtacacs scheme
local-user