Skip to content

Permissions

Jonathan Stout edited this page Mar 23, 2018 · 15 revisions

Commands

The user_type attribute on the command tag may be used to limit or expand the scope of command permissions.

  • admin (default) - Only members of the admin workgroup may execute the command.
  • owner - Command is limited to workgroups who own the interface or created the VLAN.
  • user - Command may be run by anyone.
<command method_name='show_interface' name='show interface' type='show' user_type='owner' interaction='cli'>
  <cmd>show interface [% port %]</cmd>
</command>

VLANs

Modifying a VLAN requires the workgroup have VLAN access on each interface that is added or removed. The admin workgroup may modify the VLAN to include any interfaces.

Deletion of VLANs is restricted to the admin workgroup and the workgroup that created the VLAN.

Admins

Members of the admin workgroup may add, modify, or delete all VLANs on all interfaces.

As an administrator, it's possible to provision a VLAN in another workgroup's VLAN range. When this happens the VLAN may be modified by both workgroup and administrator, however only administrators may delete it.

Interface owners

A workgroup may add, modify, or delete all VLANs on interfaces it owns. In order to delete an entire VLAN, the workgroup must own all associated interfaces.

As an interface owner, it's possible to provision a VLAN in another workgroup's VLAN range. When this happens the VLAN may be modified by both workgroup and owner.

Other users

Users that are not admins or port owners will be restricted to creating or modifying VLANs within the ranges they have been granted access.

Clone this wiki locally