CN101090336A - Command line interface authority hierarchical method for network equipment - Google Patents
Command line interface authority hierarchical method for network equipment Download PDFInfo
- Publication number
- CN101090336A CN101090336A CNA2007100758781A CN200710075878A CN101090336A CN 101090336 A CN101090336 A CN 101090336A CN A2007100758781 A CNA2007100758781 A CN A2007100758781A CN 200710075878 A CN200710075878 A CN 200710075878A CN 101090336 A CN101090336 A CN 101090336A
- Authority
- CN
- China
- Prior art keywords
- command
- permission levels
- user
- line interface
- command keyword
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
This invention discloses a method for grading purview of instruction line interface of network equipment including: 1, a user logs onto the system of network equipment and gets a purview grade, 2, reading an order key word of the interface instruction, 3, determining the purview grade of the key word, 4, comparing the purview grade of the user and that of the key word, if the purview grade is greater than that of the key word, then the order corresponding to the key word is the operational order of the user, otherwise, it is the non-operational order of the user, 5, judging if there are order key words not read in the order line interface order concentration, if so, the un-read key words are read and turns to step 3, otherwise, the flow is ended.
Description
Technical field
The present invention relates to a kind of authority hierarchical method, especially a kind of command line interface authority hierarchical method of the network equipment.
Background technology
Along with IP (Internet Protocol, Internet Protocol) network data product, extensive use as router, Ethernet switch etc., people are more and more higher to the security requirement of network device management, particularly adopt CLI (Command Line Interface, command line interface) network equipment of way to manage, its safety issue shows especially day by day.If elementary attendant is because misoperation destroys the configuration information of equipment, perhaps illegal invasion person inserts the configuration information of facilities for observation by the physical interface malice of equipment, even reconfigure equipment and obtain control to it, all can the safe operation of the network equipment be worked the mischief.Therefore, in the data product of present IP network, but relate to the problem of carrying out Permission Levels control at the operational order of legal Configuration Management Officer inevitably.
When logon data equipment carried out command operation, for realizing above-mentioned Permission Levels control requirement, the control method that adopts was simple two-stage control of authority usually.Promptly the user of all access devices after login authentication is passed through, uses a basic command collection.In this command set, can carry out some basic command operations, domestic consumer can only carry out the order in this command set, and for plant maintenance person who has higher authority or system manager, need input the Permission Levels password once more authenticates, in case pass through, i.e. redirect enters complete command set, thereby obtains the access control power to equipment fully.Obviously, the control mode of above-mentioned authority control method is too coarse, and its essence is simple two-stage control of authority, and the initial user authority of login authentication after passing through is all the same, can not directly embody the rank of login user.Because authority is fixed, and does not allow Configuration Online, can't satisfy the requirement of multistage rights management and flexible configuration.
As the improvement to above-mentioned simple secondary authority control method, another kind of authority hierarchical method is divided into different roles with login user, and every kind of role's predetermined fixed is distributed its corresponding executable command operation.After the user successfully logins, can only carry out the corresponding command of this role's permission, thereby realize user's differentiated control.Because this right management method control precision based on the role is greatly improved, possess characteristics such as easy understanding, easy realization simultaneously, in a lot of system or equipments, all obtaining extensive use at present.But because role's number is generally limited, and the command operation relative fixed that every kind of role allowed, consider that simultaneously the network data product is fully based on operation, the configuration mode of CLI order line, in general command set is huge, order quantity is a lot, thereby this kind is based on role's authority control method still underaction.
Summary of the invention
The technical problem to be solved in the present invention provides the command line interface authority hierarchical method that a kind of control precision height, configuration management are realized the network equipment of multi-level login user control of authority and operating terminal control of authority flexibly.
The technical solution adopted for the present invention to solve the technical problems is:
A kind of command line interface authority hierarchical method of the network equipment may further comprise the steps:
1.1 the user lands the system of the described network equipment and obtains described user's Permission Levels;
A 1.2 command keyword in the reading order line interface command set;
1.3 determine the Permission Levels of described command keyword;
1.4 described user's the Permission Levels and the Permission Levels of described command keyword are compared, if described user's Permission Levels are more than or equal to the Permission Levels of described command keyword, but the order of then described command keyword correspondence is described user's a operational order, but otherwise the order of described command keyword correspondence is described user's a non-operational order;
1.5 judge the command keyword whether also described command line interface command concentrates existence not to be read, if exist, then read a command keyword that was not read and get back to step 1.3, otherwise process ends.
In the such scheme, step 1.3 determines that the Permission Levels of command keyword may further comprise the steps:
2.1 obtain the default privilege grade of described command keyword;
2.2 whether judge the Permission Levels of described command keyword changes according to the configuration Permission Levels of described command keyword, if not change, then with the Permission Levels of described default privilege grade as described command keyword, otherwise, with the Permission Levels of described configuration Permission Levels as described command keyword.
In the such scheme, described command line interface command collection comprises the complete order that described command line interface is supported, the command keyword of described each order correspondence is corresponding one by one with described default privilege grade and configuration Permission Levels respectively, the initial rights grade of the default privilege grade of described command keyword for setting, if the Permission Levels of described command keyword change, then the configuration Permission Levels of described command keyword are upgraded accordingly.
In the such scheme, after user described in the step 1.1 lands the system of the described network equipment, authenticate,, land and process ends otherwise withdraw from if authentication success then obtains described user's Permission Levels by described system.
In the such scheme, the mode of described authentication comprises local module authentication, the authentication of remote dial authenticated user service server, terminal access controller access control system server authentication.
Beneficial effect of the present invention mainly shows: technical scheme provided by the invention provides high control precision and flexibility, solved the problem of the thin inadequately and configuration underaction of Permission Levels in the existing CLI order line right management method, satisfy the IP network equipment interconnection and gone into the application demand of fail safe, thereby prevented that unwarranted user from checking or changing device configuration information above its extent of competence, guaranteed the safety and the normal operation of equipment.
Description of drawings
Fig. 1 is the flow chart of the CLI authority hierarchical method of the network equipment of the present invention;
Fig. 2 lands the flow chart of network equipment system for user of the present invention.
Embodiment
The invention will be further described below in conjunction with accompanying drawing.
With reference to Fig. 1, a kind of CLI authority hierarchical method of the network equipment may further comprise the steps:
Step 1: the user lands the system of the network equipment and obtains user's Permission Levels.
As shown in Figure 2, in the implementation procedure of this step, user's logging in network device systems carries out access authentication; Behind the input username and password, wait for the return authentication result.Adoptable authentication mode comprises local module authentication, RADIUS (Remote Authentication Dial-InUser Service, remote dial authenticated user business) server authentication, TACACS (TerminalAccess Controller Access Control System, terminal access controller access control system) server authentication etc.If authentification failure is logged off, process ends; If authentication success confirms that this user is legal login user, returns this user's Permission Levels.User's Permission Levels are the Permission Levels of current operating terminal.Like this, when login back user again changed or need online dynamic change Permission Levels, the Permission Levels of current operating terminal also can correspondingly change.
Step 2: read a command keyword in the CLI command set.
So-called command keyword is exactly one or several word of a CLI order beginning, promptly removes the command component outside command parameter and the grammer prompting character, also can be referred to as command node.With the delineation of power of user by the network equipment of CLI command operation and control is different grades, and wherein, concrete grade quantity can be provided with when of the present invention realizing, without limits voluntarily as 16 grades or 256 grades.The CLI command set comprises the complete order that CLI supports, the command keyword of each order correspondence is corresponding one by one with default privilege grade and configuration Permission Levels respectively, the initial rights grade of the default privilege grade of command keyword for setting, if the Permission Levels of command keyword change, disposed the Permission Levels of command keyword as administrator hand, then the configuration Permission Levels of this command keyword are upgraded accordingly.
Step 3: determine the Permission Levels of command keyword, comprise following a few part during realization:
1, obtains the default privilege grade of command keyword;
2, judge according to the configuration Permission Levels of command keyword whether the Permission Levels of command keyword change, if not change, then with the Permission Levels of default privilege grade as command keyword, otherwise, will the configuration Permission Levels as the Permission Levels of command keyword.
Like this, the Permission Levels of command keyword can reflect up-to-date authority configuring condition all the time, have realized the perfect of authority classification function.
Step 4: user's the Permission Levels and the Permission Levels of command keyword are compared, if user's Permission Levels are more than or equal to the Permission Levels of command keyword, then the order of command keyword correspondence allows this user to check, carry out, promptly but this orders the operational order into this user, otherwise the order of command keyword correspondence is forbidden this user and is checked, carries out, but promptly this orders the non-operational order into this user;
Step 5: judge the command keyword whether also command line interface command concentrates existence not to be read,, then read a command keyword that was not read and get back to step 3 if exist, otherwise process ends.
Adopt authority hierarchical method of the present invention, can carry out necessary control, and control precision has reached the control requirement of user class, the effect that has produced cooperation and isolated and deposit user's command operation scope.
Claims (5)
1, a kind of command line interface authority hierarchical method of the network equipment is characterized in that, may further comprise the steps:
1.1 the user lands the system of the described network equipment and obtains described user's Permission Levels;
A 1.2 command keyword in the reading order line interface command set;
1.3 determine the Permission Levels of described command keyword;
1.4 described user's the Permission Levels and the Permission Levels of described command keyword are compared, if described user's Permission Levels are more than or equal to the Permission Levels of described command keyword, but the order of then described command keyword correspondence is described user's a operational order, but otherwise the order of described command keyword correspondence is described user's a non-operational order;
1.5 judge the command keyword whether also described command line interface command concentrates existence not to be read, if exist, then read a command keyword that was not read and get back to step 1.3, otherwise process ends.
2, the command line interface authority hierarchical method of the network equipment as claimed in claim 1 is characterized in that: step 1.3 determines that the Permission Levels of command keyword may further comprise the steps:
2.1 obtain the default privilege grade of described command keyword;
2.2 whether judge the Permission Levels of described command keyword changes according to the configuration Permission Levels of described command keyword, if not change, then with the Permission Levels of described default privilege grade as described command keyword, otherwise, with the Permission Levels of described configuration Permission Levels as described command keyword.
3, the command line interface authority hierarchical method of the network equipment as claimed in claim 2, it is characterized in that: described command line interface command collection comprises the complete order that described command line interface is supported, the command keyword of described each order correspondence is corresponding one by one with described default privilege grade and configuration Permission Levels respectively, the initial rights grade of the default privilege grade of described command keyword for setting, if the Permission Levels of described command keyword change, then the configuration Permission Levels of described command keyword are upgraded accordingly.
4, as the command line interface authority hierarchical method of one of them described network equipment of claim 1 to 3, it is characterized in that: after user described in the step 1.1 lands the system of the described network equipment, authenticate by described system, if authentication success then obtains described user's Permission Levels, land and process ends otherwise withdraw from.
5, the command line interface authority hierarchical method of the network equipment as claimed in claim 4 is characterized in that: the mode of described authentication comprises local module authentication, the authentication of remote dial authenticated user service server, terminal access controller access control system server authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100758781A CN101090336A (en) | 2007-07-12 | 2007-07-12 | Command line interface authority hierarchical method for network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100758781A CN101090336A (en) | 2007-07-12 | 2007-07-12 | Command line interface authority hierarchical method for network equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101090336A true CN101090336A (en) | 2007-12-19 |
Family
ID=38943517
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100758781A Pending CN101090336A (en) | 2007-07-12 | 2007-07-12 | Command line interface authority hierarchical method for network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101090336A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
| CN103763676A (en) * | 2014-01-24 | 2014-04-30 | 成都西加云杉科技有限公司 | Communication method and equipment between AP and AC |
| CN105099665A (en) * | 2015-09-15 | 2015-11-25 | 浪潮(北京)电子信息产业有限公司 | Command line interface CLI privilege management method and system |
| CN105718171A (en) * | 2016-01-14 | 2016-06-29 | 广州杰赛科技股份有限公司 | Data processing method and terminal |
| CN105871577A (en) * | 2015-01-22 | 2016-08-17 | 阿里巴巴集团控股有限公司 | Method and device for managing resource privilege |
| CN107370729A (en) * | 2017-07-13 | 2017-11-21 | 深圳市风云实业有限公司 | command authority distribution method |
| CN108809930A (en) * | 2018-04-08 | 2018-11-13 | 北京易代储科技有限公司 | Method for managing user right and device |
-
2007
- 2007-07-12 CN CNA2007100758781A patent/CN101090336A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
| CN103490895B (en) * | 2013-09-12 | 2016-09-14 | 电小虎能源科技(北京)有限公司 | A kind of industrial control identity authentication applying the close algorithm of state and device |
| CN103763676A (en) * | 2014-01-24 | 2014-04-30 | 成都西加云杉科技有限公司 | Communication method and equipment between AP and AC |
| CN105871577A (en) * | 2015-01-22 | 2016-08-17 | 阿里巴巴集团控股有限公司 | Method and device for managing resource privilege |
| US10554667B2 (en) | 2015-01-22 | 2020-02-04 | Alibaba Group Holding Limited | Methods, apparatus, and systems for resource access permission management |
| CN105099665A (en) * | 2015-09-15 | 2015-11-25 | 浪潮(北京)电子信息产业有限公司 | Command line interface CLI privilege management method and system |
| CN105718171A (en) * | 2016-01-14 | 2016-06-29 | 广州杰赛科技股份有限公司 | Data processing method and terminal |
| CN105718171B (en) * | 2016-01-14 | 2018-08-28 | 广州杰赛科技股份有限公司 | A kind of data processing method and terminal |
| CN107370729A (en) * | 2017-07-13 | 2017-11-21 | 深圳市风云实业有限公司 | command authority distribution method |
| CN108809930A (en) * | 2018-04-08 | 2018-11-13 | 北京易代储科技有限公司 | Method for managing user right and device |
| CN108809930B (en) * | 2018-04-08 | 2021-05-28 | 北京易代储科技有限公司 | User authority management method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10489997B2 (en) | Local access control system management using domain information updates | |
| CN103248484B (en) | Access control system and method | |
| CN101110702A (en) | Method for command line interface authority classification and system thereof | |
| US10404714B1 (en) | Policy-managed physical access authentication | |
| US12088573B2 (en) | System and method for securely changing network configuration settings to multiplexers in an industrial control system | |
| EP2037651A1 (en) | Method and system for accessing devices in a secure manner | |
| CN101931613B (en) | Centralized authenticating method and centralized authenticating system | |
| CN101083659B (en) | Security policy and environment for portable equipment | |
| CN101090336A (en) | Command line interface authority hierarchical method for network equipment | |
| CN105430000A (en) | Cloud computing security management system | |
| CN106027462A (en) | Operation request control method and device | |
| CN106101054A (en) | The single-point logging method of a kind of multisystem and centralized management system | |
| CN103942478A (en) | Method and device for identity verification and authority management | |
| CN103413083A (en) | Security defending system for single host | |
| CN110138726A (en) | A kind of method and system of intelligent optimization management cloud information | |
| CN105574968A (en) | Intelligent building visitor system | |
| CN105391724A (en) | Authorization management method and authorization management device used for information system | |
| US20030101254A1 (en) | Management system and method | |
| CN204390320U (en) | A kind of dynamic puzzle-lock system | |
| US9779566B2 (en) | Resource management based on physical authentication and authorization | |
| US20170046890A1 (en) | Physical access management using a domain controller | |
| US20060259491A1 (en) | Computer system, integrable software component and software application | |
| CN104410640B (en) | A kind of authority control method and system of the acquisition of information under distributed cooperation environment | |
| EP2450820B1 (en) | User authentication system and plant control system having user authentication system | |
| CN101183943A (en) | User authentication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20071219 |