As you already know you can assign a different privilege level for each user, configured on a Huawei device. How to configure local user and how to access Huawei device you can read in one of my previous posts.
user privilege level
Today I want to focus on the privilege level of local user. Each year lots of accidents in IP networks are caused by inexperienced employees. We can decrease the number of such accidents setting privilege level for local users, logging into network devices. Setting a lower privilege level for such employees increases networks’ safety. For more experienced engineers we can either configure higher privilege level or set a super password, to let them to perform advanced operation.
Let’s assume that we have created a local user with the lowest priority:
# local-user labnario password cipher &EU15O"Q3/;Q=^Q`MAF4<1!! local-user labnario service-type telnet local-user labnario level 0 #
After you are logged as user “labnario” and putting a question mark you can see all commands available in level 0:
<CX600>? User view commands: cluster Run cluster command display Display LPUF-10 work-mode hwtacacs-user HWTACACS user language-mode Specify the language environment local-user Local user ping Ping function quit Exit from current command view return Exit to user view save Save file super Privilege current user a specified priority level telnet Establish a Telnet connection trace Trace route (switch) to host on Data Link Layer tracert Trace route to host
As this is the lowest privilege level we cannot even display current-configuration and interfaces’ statistics:
<CX600>display current-configuration ^ Error: Unrecognized command found at '^' position. <CX600>display interface GigabitEthernet7/0/0 ^ Error: Unrecognized command found at '^' position.
command privilege level
But we can assign additional commands to this level in advance, as needed:
# command-privilege level 0 view shell display current-configuration command-privilege level 0 view system display current-configuration command-privilege level 0 view shell display interface GigabitEthernet7/0/0 #
Now it is possible to display current-configuration and statistics of GE7/0/0:
<CX600>display ? current-configuration Current configuration interface Status and configuration information for the interface
super password and switching user levels
Let’s come back to super password. What we want to do is to the set super password, in advance, for privilege level 15:
[CX600]super password level 15 cipher &EU15O"Q3/;Q=^Q`MAF4<1!!
And now if you are logged as level 0 user, you can switch to level 15. If you want to recall about a level’s arrangement on Huawei devices you can read huawei cli introduction.
<CX600>super 15 Password: Now user privilege is 15 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
Now you have full rights to configure and manage this device.
locking user terminal
Remember to lock your current user terminal interface if you are away of your desk. It prevents your device against unauthorized users operations on the current terminal interface:
<CX600>lock Enter Password: Confirm Password: Info: The terminal is locked. Enter Password: <CX600>