Creating User Roles

---

The TACACS+ server determines what role a user has by returning a role attribute. The roles include network-admin for full access and read-only-network-admin users who can  run only the  show commands. 

You  can create users on the switch and assign roles(based on role created or the default role of  network-admin. To create a new user role, use the command:

CLI (network-admin@switch-1) > role-create name <name-string> scope local|fabric access read-only|read-write  

For example, to create a user, newrole, with scope, local and allowing shell command, use the command:

CLI (network-admin@switch-1) > role-create name newrole scope local shell 

To display the configuration details, use the command:

CLI (network-admin@switch-1) > role-show

   name                 scope  vnet-access   access   running-config shell  sudo 

----------------------- -----  ----------- ---------- -------------- ------ ---- 

network-admin           local    all       read-write  permit         deny   deny 

read-only-network-admin local    all       read-only   deny           deny   deny 

newrole                 local    all       read-write  deny           permit deny 

To delete a role, use the command:

CLI (network-admin@switch-1) > role-delete name <name-string>

To modify a role, use the command:

CLI (network-admin@switch-1) > role-modify name <name-string> access read-only|read-write running-config|no-running-config shell|no-shell sudo|no-sudo delete-from-users

You can create a user and apply an  initial role by using the command:

CLI (network-admin@switch-1) > user-create name <name-string> scope local|fabric initial-role <role-name>

For example, to create a user, user2 with scope local and initial role as network-admin:

CLI (network-admin@switch-1) > user-create name user2 scope local initial-role newrole 

CLI (network-admin@switch-1) > shell

shell: shell access denied by role

The above error message indicates that shell access is denied because the  network-admin does not have shell access configured. Hence, when you create a new user, you must  assign a new role to the user so as to enable shell access. For example,

CLI (network-admin@switch-1) > user-create name user2 scope local initial-role newrole 

Exit  the configuration and login back to the switch as user2, for shell access to be enabled :

jenkins@pn-jenkins2.pluribusnetworks.com:~$ ssh user2@switch-1

Warning: Permanently added 'switch-1,10.14.16.44' (ECDSA) to the list of known hosts.

* Welcome to Pluribus Networks Inc. Netvisor(R). This is a monitored system.   *

*                ACCESS RESTRICTED TO AUTHORIZED USERS ONLY                    *

* By using the Netvisor(R) CLI,you agree to the terms of the Pluribus Networks *

* End User License Agreement (EULA). The EULA can be accessed via              *

* http://www.pluribusnetworks.com/eula or by using the command "eula-show"     *

user2@switch-1's password: 

Netvisor OS Command Line Interface 5.1

Connected to Switch switch-1; nvOS Identifier:0xb0013dc; Ver: 5.1.1-5010115002

CLI (user2@switch-1) > shell

user2@switch-1:~$ 

user2@switch-1:~$ exit

exit

CLI (user2@switch-1) > 

CLI (user2@switch-1) > exit

Connection to switch-1 closed.

To delete a user, use the command (add the parameter forcefully to delete a user forcefully):

CLI (network-admin@switch-1) > user-delete name <name-string> scope local initial-role newrole 

To modify a user, use the command:

CLI (network-admin@switch-1) > user-modify name <name-string> password <password-string>

To set a user password, use the command:

CLI (network-admin@switch-1) > user-password-set <name-string> scope local uid uid-number type netvisor|unix|tacacs|web-token|mfg server aaa-tacacs name initial-role <role-name>