Creating Users and Roles
In NetVisor OS, the default roles include the network-admin role with full access to a switch and the read-only-network-admin role with limited access allowing you to execute show commands only. In addition, you can configure custom roles with different permissions.
You can create users on the switch and assign roles to them (the default roles of network-admin and read-only-network-admin or roles created by using the role-create command). To create a new user role, use the command:
CLI (network-admin@switch) > role-create
|
role-create |
Create a user role. |
|
name name-string |
Specify the name of the user role. |
|
scope local|fabric |
Specify if the scope is local or fabric. |
|
Specify any of the following options: |
|
|
access read-only|read-write |
Specify the type of access. The default is read-write. |
|
running-config|no-running-config |
Specify to allow or deny displaying of running configuration of switch. |
|
shell|no-shell |
Specify to allow or deny shell access. |
|
sudo|no-sudo |
Specify to permit or deny sudo command from the shell prompt. |
For example, to create a user role named role1 having local scope with access to the shell prompt, use the command:
CLI (network-admin@switch) > role-create name role1 scope local shell sudo
To display the role configuration, use the command:
CLI (network-admin@switch) > role-show
name scope vnet-access access running-config shell sudo
----------------------- ----- ----------- ---------- -------------- ------ ------
network-admin local all read-write permit deny deny
read-only-network-admin local all read-only deny deny deny
role1 local all read-write deny permit permit
To delete a role, use the command:
CLI (network-admin@switch) > role-delete name <name-string>
To modify a role, use the role-modify command:
|
role-modify |
Modify a user role. |
|
name name-string |
Specify the name of the user role. |
|
Specify any of the following options: |
|
|
access read-only|read-write |
Specify the type of access. The default is read-write. |
|
running-config|no-running-config |
Specify to allow or deny displaying of running configuration of switch. |
|
shell|no-shell |
Specify to allow or deny shell access. |
|
sudo|no-sudo |
Specify to allow or deny sudo command from shell. |
|
delete-from-users |
Delete the role from the users. |
For example, to modify a role in order to deny access to the shell, use the command:
CLI (network-admin@switch) > role-modify name <name-string> no-shell
You can create a user and assign an initial role to the user by using the user-create command. Thereby, you can impart all the privileges associated with the role to the user.
|
user-create |
Create a user and apply a role. |
|
Specify any of the following options: |
|
|
name name-string |
Specify the name of the user. |
|
scope local|fabric |
Specify the scope of the user. |
|
initial-role role-name |
Specify the initial role for the user |
|
login-fail-count login-fail-count-number |
Specify the number of allowed authentication failures before locking the user. |
|
lock-account|no-lock-account |
Specify if you want to lock the user after the stipulated number of authentication failures. |
|
minimum-pw-length 6..65 |
Specify the minimum password length for user account. The default value is 6. The number of allowed characters is between 6 and 65. |
For example, to create a user user1 with local scope and initial role role1, use the command:
CLI (network-admin@switch) > user-create name user1 scope local initial-role role1
password:
confirm password:
CLI (network-admin@switch) >
The CLI command shell enables you to start an interactive UNIX shell. In order to be able to run the shell command successfully, the authenticated user's role must have the permission to enter the shell. By default, all user roles including network-admin do not have shell access. For example:
CLI (network-admin@switch) > shell
shell: shell access denied by role
The above error message indicates that the network-admin role does not have shell access configured. Hence, to enter the shell prompt, you must login from a user account with a role that has shell access. For example, you can login to the switch as user1 which has an assigned role of role1 with shell access privileges (configured previously):
PS C:\Users\user1>:~$ ssh user1@switch
* Welcome to Arista Networks Inc. Netvisor(R). This is a monitored system. *
* ACCESS RESTRICTED TO AUTHORIZED USERS ONLY *
* By using the Netvisor(R) CLI,you agree to the terms of the Arista Networks *
* End User License Agreement (EULA). The EULA can be accessed via *
* http://www.arista.com/eula or by using the command "eula-show" *
user1@switch's password:
Netvisor OS Command Line Interface 7.0
Connected to Switch switch; nvOS Identifier:0x900104c; Ver: 7.0.0-7000019011
CLI (user1@switch) > shell
root@switch:~$
To delete a user, use the command below (add the parameter forcefully to delete a active users):
CLI (network-admin@switch) > user-delete name <name-string> forcefully|no-forcefully
Use the user-modify command to modify a user:
CLI (network-admin@switch) > user-modify
|
user-modify |
Create a user and apply a role. |
|
Specify any of the following options: |
|
|
password password-string |
Specify a plaintext password. |
|
login-fail-count login-fail-count-number |
Specify the numbers of allowed authentication failures before locking the user. |
|
lock-account|no-lock-account |
Specify if you want to lock the user after the stipulated number of authentication failures. |
|
minimum-pw-length 6..65 |
Specify the minimum password length for user account. |
To set a user password or change the current password, use the command:
CLI (network-admin@switch) > user-password-set
|
user-password-set |
Set a user password. |
|
name <name-string> |
Specify the username. |
|
Specify any of the following options: |
|
|
scope local|fabric |
Specify if the scope is local or fabric |
|
uid uid-number |
Specify the user ID. |
|
server aaa-tacacs-name |
Specify the TACACS+ server. |
|
initial-role role-name |
Specify the initial role for the user |
|
login-fail-count login-fail-count-number |
Specify the numbers of allowed authentication failures before locking the user. |
|
lock-account|no-lock-account |
Specify if you want to lock the user after the stipulated number of authentication failures. |
|
minimum-pw-length 6..65 |
Specify the minimum password length for user account. |
For example, to change the current password for user1 and to change the minimum password length, use the command:
CLI (network-admin@switch) > user-password-set name user1 scope local minimum-pw-length 7
password:
confirm password:
CLI (network-admin@switch) >