set system aaa ldap group command-level

The set system aaa ldap command-level permit command configures LDAP group and command level of LDAP server.

The delete system aaa ldap group command-level command deletes the configuration.

Command Syntax

set system aaa ldap group <group-name> command-level <value>

delete system aaa ldap group <group-name> command-level <value>

Parameters

Parameter

Description

group <group-name>

Specifies the group to which a user belongs. The value is a string.

command-level <value>

Specifies the command level for an LDAP user. The value is an integer that ranges from 1 to 15.

If an LDAP user is not configured with command-level, it can only run show and exit commands.

Usage Guidelines

This feature can specify a group for the user that corresponds to the group on the server, we recommend that users configure group and command level together, and the higher the value of command level, the higher the priority. Different groups of users login can only run specific commands defined on the command line when they log in. A high priority user can run all permit commands below its command-level.

NOTES:

Group users with command-level configuration but no corresponding statement configuration can only run exit when they log in. For example, user commit set system aaa ldap group command-level but not set system aaa ldap command-level permit, user can only run exit.
Group users with command-level 15 have administrator rights when they log in.
Users belonging to different groups log in according to the maximum user permissions. For example, set group1 command-level 1, group2 command-level 2 and group3 command-level 15, LDAP users belong to group3 can run any commands.

Example

Configure the group name and class for an LDAP user.

admin@PICOS# set system aaa ldap command-level 2 permit "set protocols"
admin@PICOS# set system aaa ldap command-level 2 permit config
admin@PICOS# set system aaa ldap group bob-group command-level 2
admin@PICOS# commit