| 22.3. Access levels to the Control Port | ||
|---|---|---|
 | Chapter 22. CP - Control Port |  |
| 22.3. Access levels to the Control Port | ||
|---|---|---|
| | Chapter 22. CP - Control Port | |
Permission levels to the Control Port depends by LOGIN-MODE.
With LOGIN-MODE:LEGACY it's
possible to log into the Control Port by using three different privilege
levels:
User login level: “USER” is allowed to execute only some operations for supervising the Abilis CPX working mode; the execution of “USER” not allowed commands will cause the message “COMMAND NOT ALLOWED FOR USER LOGIN LEVEL” to be displayed.
Administrator login level: “ADMINISTRATOR” is allowed, with some restrictions, to execute all the operations for configuring and supervising the Abilis CPX; execution of “ADMINISTRATOR” not allowed commands will cause the message “COMMAND NOT ALLOWED FOR ADMINISTRATOR LOGIN LEVEL” to be displayed.
Super-User login level: SUPERUSER is able to completely manage the system.
Once the CP has been accessed, it's possible to check or modify the privilege level by using the command login.
Here is an example of how to access the Control Port through the Telnet port, with USER privileges:
[192.168.0.1] TELNETS>00-CPCOM Abilis CPX - Ver. 8.5.1/STD - Build 4238.7 - Branch 8.5 - Abilis-ID 1800310 Monday 28/08/2017 08:38:44 (UTC+2:00) Logged as USER[11:29:21] ABILIS_CPX:
The User is asked to specify the requested access level (USER, ADMINISTRATOR or SUPERUSER) and then to insert the corresponding password. If the password is wrong, it will be asked again. After the third wrong try, the connection will be cleared.
[192.168.0.1] TELNETS>00-CPCOM Abilis CPX - Ver. 8.5.1/STD - Build 4238.7 - Branch 8.5 - Abilis-ID 1800310 Monday 28/08/2017 08:38:44 (UTC+2:00) Login:userPassword: INVALID PASSWORD Password: INVALID PASSWORD Password: CLR F0 AE[192.168.0.1] TELNETS>
When using LOGIN-MODE:USERS
the permission levels are the followings:
User 'super' can do everything, without restrictions
Users with
CP-LEVEL:SUPER have the
following restrictions:
Can't set password (PWD:) of user
'super';
Can't change
LOGIN-MODE:USERS of
control port;
Users with
CP-LEVEL:ADMIN have the
following restrictions:
Can't set password (PWD:) of user
'super';
Can't change
LOGIN-MODE:USERS of
control port;
Can't set password (PWD:) of other
users with CP-LEVEL:ADMIN
or CP-LEVEL:SUPER;
Can't remove users with
CP-LEVEL:ADMIN or
CP-LEVEL:SUPER;
Can't set
CP-LEVEL:SUPER for any
user, including themselves.
Users with CP-LEVEL:USER
have most commands restricted, they are only allowed to some
supervision and error recovery actions, plus some system utilities.
The most relevant restrictions are:
Can't execute commands that modify the configuration ( A/S/C/M, CONF, SAVE, INIT, ...);
Can't execute commands that modify files on disks (CONF, FILE, SYS, ... );
Can't execute commands that stop or restart Abilis (WARM START, RESTART SYSTEM, SHUTDOWN SYSTEM, HALT, ...);
Can't execute commands that may reveal sensitive data (LICENCE, TRACE, IPFLOW, D <res> LOG, ...);
Other commands can be permitted entirely or just partially.
Users with CP-LEVEL:NO
can't login to TELNET/SSH and can't access control port.
| |  | |
| 22.2. CP LOGIN-MODE |  | 22.4. CP diagnostics and statistics |