Creating Users and Roles


In NetVisor OS, the default roles include the network-admin role with full access to a switch and the read-only-network-admin role with limited access allowing you to execute show commands only. In addition, you can configure custom roles with different permissions.


You can create users on the switch and assign roles to them (the default roles of network-admin and read-only-network-admin or roles created by using the role-create command). To create a new user role, use the command:


CLI (network-admin@switch) > role-create


role-create

Create a user role.

name name-string

Specify the name of the user role.

scope local|fabric

Specify if the scope is local or fabric.

Specify any of the following options:


access read-only|read-write

Specify the type of access. The default is read-write.

running-config|no-running-config

Specify to allow or deny displaying of running configuration of switch.

shell|no-shell

Specify to allow or deny shell access.

sudo|no-sudo

Specify to permit or deny sudo command from the shell prompt.


For example, to create a user role named role1 having local scope with access to the shell prompt, use the command:


CLI (network-admin@switch) > role-create name role1 scope local shell sudo


To display the role configuration, use the command:


CLI (network-admin@switch) > role-show

name                    scope vnet-access access     running-config shell  sudo 

----------------------- ----- ----------- ---------- -------------- ------ ------

network-admin           local all         read-write permit         deny   deny 

read-only-network-admin local all         read-only  deny           deny   deny 

role1                   local all         read-write deny           permit permit


To delete a role, use the command:


CLI (network-admin@switch) > role-delete name <name-string>


To modify a role, use the role-modify command:


role-modify

Modify a user role.

name name-string

Specify the name of the user role.

Specify any of the following options:


access read-only|read-write

Specify the type of access. The default is read-write.

running-config|no-running-config

Specify to allow or deny displaying of running configuration of switch.

shell|no-shell

Specify to allow or deny shell access.

sudo|no-sudo

Specify to allow or deny sudo command from shell.

delete-from-users

Delete the role from the users.


For example, to modify a role in order to deny access to the shell, use the command:


CLI (network-admin@switch) > role-modify name <name-string> no-shell


You can create a user and assign an initial role to the user by using the user-create command. Thereby, you can impart all the privileges associated with the role to the user.


user-create

Create a user and apply a role.

Specify any of the following options:


name name-string

Specify the name of the user.

scope local|fabric

Specify the scope of the user.

initial-role role-name

Specify the initial role for the user

login-fail-count login-fail-count-number        

Specify the number of allowed authentication failures before locking the user.

lock-account|no-lock-account

Specify if you want to lock the user after the stipulated number of authentication failures.

minimum-pw-length 6..65

Specify the minimum password length for user account. The default value is 6. The number of allowed characters is between 6 and 65.


For example, to create a user user1 with local scope and initial role role1, use the command:


CLI (network-admin@switch) > user-create name user1 scope local initial-role role1

password: 

confirm password: 

CLI (network-admin@switch) > 


The CLI command shell enables you to start an interactive UNIX shell. In order to be able to run the shell command successfully, the authenticated user's role must have the permission to enter the shell. By default, all user roles including network-admin do not have shell access. For example:


CLI (network-admin@switch) > shell

shell: shell access denied by role


The above error message indicates that the network-admin role does not have shell access configured. Hence, to enter the shell prompt, you must login from a user account with a role that has shell access. For example, you can login to the switch as user1 which has an assigned role of role1 with shell access privileges (configured previously):


PS C:\Users\user1>:~$ ssh user1@switch

* Welcome to Arista Networks Inc. Netvisor(R). This is a monitored system.   *

*                ACCESS RESTRICTED TO AUTHORIZED USERS ONLY                    *

* By using the Netvisor(R) CLI,you agree to the terms of the Arista Networks *

* End User License Agreement (EULA). The EULA can be accessed via              *

* http://www.arista.com/eula or by using the command "eula-show"     *

user1@switch's password: 

Netvisor OS Command Line Interface 7.0

Connected to Switch switch; nvOS Identifier:0x900104c; Ver: 7.0.0-7000019011

CLI (user1@switch) > shell

root@switch:~$ 


To delete a user, use the command below (add the parameter forcefully to delete a active users):


CLI (network-admin@switch) > user-delete name <name-string> forcefully|no-forcefully


Use the user-modify command to modify a user:


CLI (network-admin@switch) > user-modify


user-modify

Create a user and apply a role.

Specify any of the following options:


password password-string

Specify a plaintext password.

login-fail-count login-fail-count-number        

Specify the numbers of allowed authentication failures before locking the user.

lock-account|no-lock-account

Specify if you want to lock the user after the stipulated number of authentication failures.

minimum-pw-length 6..65

Specify the minimum password length for user account.


To set a user password or change the current password, use the command:


CLI (network-admin@switch) > user-password-set 


user-password-set

Set a user password.

name <name-string>

Specify the username.

Specify any of the following options:


scope local|fabric

Specify if the scope is local or fabric

uid uid-number

Specify the user ID.

server aaa-tacacs-name

Specify the TACACS+ server.

initial-role role-name

Specify the initial role for the user

login-fail-count login-fail-count-number

Specify the numbers of allowed authentication failures before locking the user.

lock-account|no-lock-account

Specify if you want to lock the user after the stipulated number of authentication failures.

minimum-pw-length 6..65

Specify the minimum password length for user account.


For example, to change the current password for user1 and to change the minimum password length, use the command:


CLI (network-admin@switch) > user-password-set name user1 scope local minimum-pw-length 7

password: 

confirm password:  

CLI (network-admin@switch) >

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south