Creating User Roles


The TACACS+ server determines what role a user has by returning a role attribute. The roles include network-admin for full access and read-only-network-admin users who can  run only the  show commands. 


You  can create users on the switch and assign roles(based on role created or the default role of  network-admin. To create a new user role, use the command:


CLI (network-admin@switch-1) > role-create name <name-string> scope local|fabric access read-only|read-write  


name <name-string>

Specify the role name

scope local|fabric

Specify if the scope is local or fabric

Specify any of the following options:


access read-only|read-write

Specify the type of access, the default is read-write

running-config|no-running-config

Specify to display running configuration of switch

shell|no-shell

Specify to allow shell command

sudo|no-sudo

Specify to allow sudo from shell


For example, to create a user, newrole, with scope, local and allowing shell command, use the command:


CLI (network-admin@switch-1) > role-create name newrole scope local shell 


To display the configuration details, use the command:


CLI (network-admin@switch-1) > role-show


   name                 scope  vnet-access   access   running-config shell  sudo 

----------------------- -----  ----------- ---------- -------------- ------ ---- 

network-admin           local    all       read-write  permit         deny   deny 

read-only-network-admin local    all       read-only   deny           deny   deny 

newrole                 local    all       read-write  deny           permit deny 


To delete a role, use the command:


CLI (network-admin@switch-1) > role-delete name <name-string>


To modify a role, use the command:


CLI (network-admin@switch-1) > role-modify name <name-string> access read-only|read-write running-config|no-running-config shell|no-shell sudo|no-sudo delete-from-users


You can create a user and apply an  initial role by using the command:


CLI (network-admin@switch-1) > user-create name <name-string> scope local|fabric initial-role <role-name>


For example, to create a user, user2 with scope local and initial role as network-admin:


CLI (network-admin@switch-1) > user-create name user2 scope local initial-role newrole 


CLI (network-admin@switch-1) > shell

shell: shell access denied by role


The above error message indicates that shell access is denied because the  network-admin does not have shell access configured. Hence, when you create a new user, you must  assign a new role to the user so as to enable shell access. For example,


CLI (network-admin@switch-1) > user-create name user2 scope local initial-role newrole 


Exit  the configuration and login back to the switch as user2, for shell access to be enabled :


jenkins@pn-jenkins2.pluribusnetworks.com:~$ ssh user2@switch-1

Warning: Permanently added 'switch-1,10.14.16.44' (ECDSA) to the list of known hosts.

* Welcome to Pluribus Networks Inc. Netvisor(R). This is a monitored system.   *

*                ACCESS RESTRICTED TO AUTHORIZED USERS ONLY                    *

* By using the Netvisor(R) CLI,you agree to the terms of the Pluribus Networks *

* End User License Agreement (EULA). The EULA can be accessed via              *

* http://www.pluribusnetworks.com/eula or by using the command "eula-show"     *

user2@switch-1's password: 

Netvisor OS Command Line Interface 5.1

Connected to Switch switch-1; nvOS Identifier:0xb0013dc; Ver: 5.1.1-5010115002

CLI (user2@switch-1) > shell

user2@switch-1:~$ 

user2@switch-1:~$ exit

exit

CLI (user2@switch-1) > 

CLI (user2@switch-1) > exit

Connection to switch-1 closed.


To delete a user, use the command (add the parameter forcefully to delete a user forcefully):


CLI (network-admin@switch-1) > user-delete name <name-string> scope local initial-role newrole 


To modify a user, use the command:


CLI (network-admin@switch-1) > user-modify name <name-string> password <password-string>


To set a user password, use the command:


CLI (network-admin@switch-1) > user-password-set <name-string> scope local uid uid-number type netvisor|unix|tacacs|web-token|mfg server aaa-tacacs name initial-role <role-name>


name <name-string>

Specify the role name

Specify any of the following options:


scope local|fabric

Specify if the scope is local or fabric

uid uid-number

Specify the user ID

type netvisor|unix|tacacs|web-token|mfg

Specify the user type

server aaa-tacacs name

Specify the TACACS server

initial-role <role-name>

Specify the initial role for the user


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south