Configuring Default CLI User Access Levels with External Authentication

Each CLI user account created on an external RADIUS or LDAP server should be assigned a global access level and a default Message VPN access level, and possibly specific exceptions to the default Message VPN access level. However, if the Solace PubSub+ event broker cannot determine these assigned access levels (for example, due to a possible misconfiguration), then it assigns default access levels and exceptions to the CLI user. These default access levels and exceptions are configured on the Solace PubSub+ event broker and saved to its internal database.

If you change the access level for a CLI user that is currently logged in, the new access level will not take effect until after the user logs off and then logs in again.

Configuring Global Access Levels

To configure a default global access level that can be applied to externally‑authenticated CLI user accounts, enter the following command:

solace(configure)# authentication
solace(configure/authentication)# user-class cli
solace(configure/authentication/user-class)# access-level
solace(...uthentication/user-class/access-level)# default
solace(...ation/user-class/access-level/default)# global-access-level [none | read-only | mesh-manager | read-write | admin]

Where:

none specifies a global access level of none.

read‑only specifies a global access level of read-only. The default value is read‑only.

mesh-manager specifies a global access level of mesh-manager.

read-write specifies a global access level of read-write.

admin specifies a global access level of admin.

Configuring Message VPN Default Access Levels

To configure a default Message VPN access level that can be applied to externally‑authenticated CLI user accounts, enter the following commands:

solace(configure)# authentication
solace(configure/authentication)# user-class cli
solace(configure/authentication/user-class)# access-level
solace(...uthentication/user-class/access-level)# default
solace(...lass/access-level/default/message-vpn)# default-access-level [none | read-only | read-write]

Where:

none specifies a default Message VPN Access level of none. The default value is none.

read‑only specifies a default Message VPN access level of read-only.

read-write specifies a default Message VPN access level of read-write.

Configuring Message VPN Access Level Exceptions

  • To configure an exception to the default Message VPN access level that can be applied to an externally‑authenticated CLI user account, enter the following CONFIG command:
    solace(...ation/user-class/access-level/default)# message-vpn
    solace(...lass/access-level/default/message-vpn)# create access-level-exception <vpn-name> access-level [none | read-only | read-write]
  • To modify an existing exception to the default Message VPN access level for an externally‑authenticated CLI user account, enter the following CONFIG command:
    solace(...ation/user-class/access-level/default)# message-vpn
    solace(...lass/access-level/default/message-vpn)# access-level-exception <vpn-name> access-level [none | read-only | read-write]

Where:

<vpn-name> is the name of an existing Message VPN that the exception to the default Message VPN access level will apply to.

none specifies a Message VPN access level of none. The default value is none.

read‑only specifies a Message VPN access level of read-only.

read-write specifies a Message VPN access level of read-write.

The no version of this command, no access-level-exception, removes an exception from the given Message VPN; the default Message VPN access level will be used.

The number of permitted Message VPN access level exceptions is only limited in that it cannot exceed the number of existing Message VPNs on the event broker.