Command set, Suppor – H3C Technologies H3C Intelligent Management Center User Manual
Page 56
47
To delete a shell profile:
1.
Click the User tab.
2.
On the navigation tree, select Device User Policy > Authorization Command > Shell Profiles.
The Shell Profile list displays all shell profiles.
3.
Click the Delete icon for the shell profile you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Command set
A command set defines commands that can be executed and commands that cannot be executed by
device users. The name of the command set must be unique in TAM.
The command name is usually the keyword for the command. For example, the name of the display
current-configuration command is display. When you configure a command name in TAM, you must
enter the complete name of the command. However, when you enter a command on the device, you can
enter part of a keyword. For example, you can enter disp for the display keyword.
Each line in a command set list defines a rule for executing commands. The rule permits or denies a user
to execute one command or multiple commands. You can enter one or more parameters. For example,
the parameter for the display current-configuration command is current-configuration. When you
configure a parameter in TAM, you must enter the complete parameter. However, when you enter a
command parameter on the device, you can enter part of a parameter. You can enter current for
current-configuration. In addition, you can enter an asterisk (*) or leave the Parameters field empty. The
asterisk (*) means match any parameter. An empty field means match no parameter.
To implement command set control on login users, configure a command set on the TAM server and
enable command authorization on the device.
After a device user logs in to the device, the user sends a request to the TAM server every time the user
executes a command. The TAM server determines whether the user can execute the command according
to the command set defined in the authorization policy and notifies the device whether the user can
execute the command.
A privilege level corresponds to the default command set that a user can use after login. Users cannot
view and execute commands that are not in the command set. Privilege levels vary depending on
vendors. H3C recommends that you select a privilege level from 0 through 16 provided by TAM. See the
configuration guide for the device.
When a command set works together with an authorized time range to control device users, the
command execution time applies. When a device user executes a command, the TAM server determines
the authorized time range for the user according to the command execution time for the user, and
determines whether the user can execute the command according to the command set that corresponds
to the authorized time range. Assume that you configure two authorized time ranges A (08:00 to 10:00)
and B (10:30 to 11:00). When a user executes a command at 09:00, the command set that corresponds
to authorized time range A applies. The command set that corresponds to authorized time range B
applies no matter whether the user stays online or logs out and logs in again when a user executes a
command at 10:40. For more information about authorized time range configuration, see "