Managing Users and Roles

On the SACG, the SACG authentication system automatically implements most operations of managing users and roles. The SACG, however, also provides the functions of managing users and roles manually or forcibly to meet certain special requirements.

Context

The role is a concept proposed by the SACG authentication solution. Each role has its members and permission range. After authentication, the SACG authentication system classifies access terminals into different roles according to the defined policy, and generates corresponding ACLs that can control these users' access ranges, and delivers the ACLs to the SACG. The SACG implements access control on terminals according to the information.

One user can possess multiple roles. That is, the user can obtain all permissions defined for these roles. For the details on users and roles, see Introduction to the Working Principle of the SACG.

Procedure

In the user view, access the system view.
system-view

View the synchronized information about roles.

display right-manager role-info

[sysname] display right-manager role-info
All Role count:10
 Role    ID              ACL number               Role name
--------------------------------------------------------------------
 Role     0              3099                     default
 Role     1              3100                     BaseResGroup
 Role     2              3101                     kk2
 Role     3              3102                     kk3
 Role     4              3103                     kk4
--------------------------------------------------------------------
 Role     5              3104                     kk5
 Role     6              3105                     kk6
 Role     7              3106                     kk7
 Role     8              3107                     kk8
 Role     9              3108                     kk9
-------------------------------------------------------------------

The previous information shows the currently-synchronized 10 types of user roles and corresponding ACL numbers.

View current online users.

display right-manager online-users

[sysname] display right-manager online-users
  User name      : test1
  Ip address     : 10.10.10.10 
  ServerIp       : 10.1.1.2
  Login time     : 16:27:23 2010/07/06 ( Hour:Minute:Second Year/Month/Day)
----------------------------------------- 
  Role id      Role name
     1         DefaultPermit
     4         FtpServerD
     6         HttpServerD
   255         PermitBase
-----------------------------------------

The previous shows the information about currently online user test1.

Access the SACG configuration view.
right-manager server-group

The main configurations of interworking with the Agile Controller are completed in this view.
Manage roles and users.
- Configure the special user that can obtain the access permission of the specified role without passing the authentication of the Agile Controller server.
  
  right-manager user user-name user-name ip ip-address roles { role-id role-id &<1-16> | role-name role-name &<1-16> }
  
  To ensure security, user-name and ip need to be configured at the same time. Only the special user that adopts the specified IP address to log in can obtain the corresponding permission. Up to 16 user roles can be configured for each special user. The special user obtains all the permissions of these roles.
- Force illegitimate users to log out.
  
  cut access-user { all | ip ip-address | user-name user-name }
  
  During the running of the device, if discovering that an illegitimate user goes online, you can run this command to force an illegitimate user to log out. The user name should be consistent with the displayed User name when you run the display right-manager online-users command.