Role-Based Access Control

Role-Based Access Control (RBAC) gives customers the ability to create administration accounts on the MSS based on customer-defined roles. Customer-defined roles can be tailored to give each administrator only the access privileges that are needed to perform that administrator's job.

When you set up an administrative role, you specify which web-administration pages the role can access and the access type. The access type can be read and write or read only. Roles assigned read and write access can view and modify settings for the web-administration pages that the role is allowed to access. Roles assigned read only access can view settings for the web administration pages that the role is allowed to access, but cannot modify settings.

The administrative roles you create can have access privileges that are the same as the sa (system administrator) or vm (voice messaging administrator) login, or you can create administrative roles that have different access privileges. The administrative roles associated with the sa and vm logins are called fixed or pre-defined roles because they are set up when the system is installed and they cannot be modified (edited). However, a fixed role can be copied to create a customer-defined (custom) role and then the custom role can be modified. For more information about administrative roles, see Managing administrative roles on the MSS.

When a custom role is created, the role is assigned a role identifier (Role ID), which is associated with a Linux group number. To avoid conflict with Linux group numbers that may be in use in other parts of the enterprise, Linux group numbers used for RBAC are offset by a number called the profile base number. If necessary, the system administrator can change the profile base number, which changes the range of Linux group numbers associated with role identifiers and customer-defined roles. For more information, see Changing the profile base.

Role identifiers are also used to assign access privileges to administration accounts on the MSS. For customers who use an Authentication, Authorization, and Accounting (AAA) sever to authenticate administration accounts (logins) on the MSS, the same administrative roles must be defined on the AAA server. For information about configuring the MSS for login authentication by a AAA server, see Configuring the MSS for login authentication by a AAA server.