Configuring User Roles and Rules

For more information about configuring roles and rules, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-installation-and-configuration-guides-list.html/

Creating User Roles and Rules

Creating User Roles and Rules

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "aaaUserEp": {
          "children": [
            {
              "aaaRole": {
                "attributes": {
                  "descr": "This role does not allow users to use clear commands",
                  "name": "UserA"
                },
                "children": [
                  {
                    "aaaRoleRule": {
                      "attributes": {
                        "permission": "deny",
                        "ruleAccess": "read-write",
                        "ruleNumber": "2"
}}},{
                    "aaaRoleRule": {
                      "attributes": {
                        "cmdStr": "clear users",
                        "permission": "deny",
                        "ruleAccess": "command",
                        "ruleNumber": "1"
}}},{
                    "aaaRoleRule": {
                      "attributes": {
                        "permission": "deny",
                        "ruleAccess": "read-write",
                        "ruleNumber": "4",
                        "ruleScope": "feature-group",
                        "scopeEntity": "L3"
}}},{
                    "aaaRoleRule": {
                      "attributes": {
                        "permission": "deny",
                        "ruleAccess": "read-write",
                        "ruleNumber": "5",
                        "ruleScope": "oid",
                        "scopeEntity": "1.3.6.1.2.1.1.9"
}}},{
                    "aaaRoleRule": {
                      "attributes": {
                        "permission": "permit",
                        "ruleAccess": "read",
                        "ruleNumber": "3",
                        "ruleScope": "feature",
                        "scopeEntity": "router-bgp"
}}}]}}]}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <role-items>
      <Role-list>
        <name>UserA</name>
        <descr>This role does not allow users to use clear commands</descr>
        <rule-items>
          <RoleRule-list>
            <ruleNumber>2</ruleNumber>
            <permission>deny</permission>
            <ruleAccess>read-write</ruleAccess>
          </RoleRule-list>
          <RoleRule-list>
            <ruleNumber>1</ruleNumber>
            <cmdStr>clear users</cmdStr>
            <permission>deny</permission>
            <ruleAccess>command</ruleAccess>
          </RoleRule-list>
          <RoleRule-list>
            <ruleNumber>4</ruleNumber>
            <permission>deny</permission>
            <ruleAccess>read-write</ruleAccess>
            <ruleScope>feature-group</ruleScope>
            <scopeEntity>L3</scopeEntity>
          </RoleRule-list>
          <RoleRule-list>
            <ruleNumber>5</ruleNumber>
            <permission>deny</permission>
            <ruleAccess>read-write</ruleAccess>
            <ruleScope>oid</ruleScope>
            <scopeEntity>1.3.6.1.2.1.1.9</scopeEntity>
          </RoleRule-list>
          <RoleRule-list>
            <ruleNumber>3</ruleNumber>
            <permission>permit</permission>
            <ruleAccess>read</ruleAccess>
            <ruleScope>feature</ruleScope>
            <scopeEntity>router-bgp</scopeEntity>
          </RoleRule-list>
        </rule-items>
      </Role-list>
    </role-items>
  </userext-items>
</System>

You can configure up to 64 user roles. Each user role can have up to 256 rules. You can assign a user role to more than one user account.

The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.

Note: Regardless of the read-write rule configured for a user role, some commands can be executed only through the predefined network-admin role.

Before You Begin

If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed.

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

role name UserA
description This role does not allow users to use clear commands
rule 1 deny command clear users
rule 2 deny read-write
rule 3 permit read feature router-bgp
rule 4 deny read-write feature-group L3
rule 5 deny read-write oid 1.3.6.1.2.1.1.9

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
aaaUserEp	sys/userext
aaaRole	sys/userext/role-{[name]}
aaaRoleRule	sys/userext/role-{[name]}/rule-{ruleNumber}

aaaRole Properties

The following table contains information about the aaaRole properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
descr	pol:Descr	Description of the specified attribute	RANGE: [0 , 128] DEFAULT: new role
name	pol:ObjName (naming:Name256)	Object name	RANGE: [1 , 16]

aaaRoleRule Properties

The following table contains information about the aaaRoleRule properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
permission	aaa:RulePermissionType (scalar:Enum8)	Permission type permit or deny	SELECTION: 0 - none 1 - permit 2 - deny
ruleAccess	aaa:RuleAccessType (scalar:Enum8)	Rule access type command or read or read-write	SELECTION: 0 - none 1 - read 2 - read-write 3 - command
ruleNumber	aaa:RuleNumberType (scalar:Uint32)	Role Rule number	RANGE: [1 , 256]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Enabling IOS Type Privilege Level Support

Enabling IOS Type Privilege Level Support

POST http://<mgmt0_IP>/api/mo/sys/fm.json

{
  "fmEntity": {
    "children": [
      {
        "fmPrivilege": {
          "attributes": {
            "adminSt": "enabled"
}}}]}}

{
    imdata:[]
}

<System>
  <fm-items>
    <privilege-items>
      <adminSt>enabled</adminSt>
    </privilege-items>
  </fm-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

feature privilege

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
fmEntity	sys/fm
fmPrivilege	sys/fm/privilege

fmPrivilege Properties

The following table contains information about the fmPrivilege properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
adminSt	fm:AdminState (scalar:Enum8)	Admin status	SELECTION: 1 - enabled 2 - disabled DEFAULT: disabled

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Disabling IOS Type Privilege Level Support

Disabling IOS Type Privilege Level Support

POST http://<mgmt0_IP>/api/mo/sys/fm.json

{
  "fmEntity": {
    "children": [
      {
        "fmPrivilege": {
          "attributes": {
            "adminSt": "disabled"
}}}]}}

{
    imdata:[]
}

<System>
  <fm-items>
    <privilege-items>
      <adminSt>disabled</adminSt>
    </privilege-items>
  </fm-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

no feature privilege

Verifying a DME Configuration

MO	DN
fmEntity	sys/fm
fmPrivilege	sys/fm/privilege

fmPrivilege Properties

Property Name	Data Type	Description	Values
adminSt	fm:AdminState (scalar:Enum8)	Admin status	SELECTION: 1 - enabled 2 - disabled DEFAULT: disabled

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Feature-Group Name

Configuring a Feature-Group Name

POST http://<mgmt0_IP>/api/mo/sys/userext.json

{
  "aaaUserEp": {
    "children": [
      {
        "aaaRoleFeatureGroup": {
          "attributes": {
            "groupName": "SampleString_123"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <rolefeaturegroup-items>
      <RoleFeatureGroup-list>
        <groupName>SampleString_123</groupName>
      </RoleFeatureGroup-list>
    </rolefeaturegroup-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

role feature-group name SampleString_123

Verifying a DME Configuration

MO	DN
aaaUserEp	sys/userext
aaaRoleFeatureGroup	sys/userext/rolefeaturegroup-SampleString_123

aaaRoleFeatureGroup Properties

The following table contains information about the aaaRoleFeatureGroup properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
groupName	string:Basic	Enter feature-group name	RANGE: [1 , 32]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Feature-Group Name

Deleting a Feature-Group Name

POST http://<mgmt0_IP>/api/mo/sys/userext.json

{
  "aaaUserEp": {
    "children": [
      {
        "aaaRoleFeatureGroup": {
          "attributes": {
            "groupName": "SampleString_123",
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <rolefeaturegroup-items>
      <RoleFeatureGroup-list nc:operation="delete">
        <groupName>SampleString_123</groupName>
      </RoleFeatureGroup-list>
    </rolefeaturegroup-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

no role feature-group name SampleString_123

Verifying a DME Configuration

MO	DN
aaaUserEp	sys/userext
aaaRoleFeatureGroup	sys/userext/rolefeaturegroup-SampleString_123

aaaRoleFeatureGroup Properties

Property Name	Data Type	Description	Values
groupName	string:Basic	Enter feature-group name	RANGE: [1 , 32]
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Range of VLANs Accessible to the Role

Configuring the Range of VLANs Accessible to the Role

POST http://<mgmt0_IP>/api/mo/sys/userext.json

{
  "aaaUserEp": {
    "children": [
      {
        "aaaRole": {
          "attributes": {
            "denyVLAN": "yes",
            "name": "RoleName"
          },
          "children": [
            {
              "aaaPermitVlan": {
                "attributes": {
                  "vlanRange": "vlan-3113"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <role-items>
      <Role-list>
        <name>RoleName</name>
        <denyVLAN>yes</denyVLAN>
        <permitvlan-items>
          <PermitVlan-list>
            <vlanRange>vlan-3113</vlanRange>
          </PermitVlan-list>
        </permitvlan-items>
      </Role-list>
    </role-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

role name RoleName
vlan policy deny
permit vlan 3113

Verifying a DME Configuration

MO	DN
aaaUserEp	sys/userext
aaaRole	sys/userext/role-[RoleName]
aaaPermitVlan	sys/userext/role-[RoleName]/permitvlan-[vlan-3113]

aaaRole Properties

Property Name	Data Type	Description	Values
denyVLAN	aaa:Boolean (scalar:Enum8)	Deny all VLAN except allowed ones	SELECTION: 0 - no 1 - yes DEFAULT: no
name	pol:ObjName (naming:Name256)	Object name	MAX SIZE: 64

aaaPermitVlan Properties

The following table contains information about the aaaPermitVlan properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
vlanRange	base:Encap	Enter the vlan range	SELECTION: unknown, vlan-%d or vxlan-%d

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Range of VLANs Accessible to the Role

Deleting the Range of VLANs Accessible to the Role

POST http://<mgmt0_IP>/api/mo/sys/userext.json

{
  "aaaUserEp": {
    "children": [
      {
        "aaaRole": {
          "attributes": {
            "denyVLAN": "yes",
            "name": "RoleName"
          },
          "children": [
            {
              "aaaPermitVlan": {
                "attributes": {
                  "status": "deleted",
                  "vlanRange": "vlan-3113"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <role-items>
      <Role-list>
        <name>RoleName</name>
        <denyVLAN>yes</denyVLAN>
        <permitvlan-items>
          <PermitVlan-list nc:operation="delete">
            <vlanRange>vlan-3113</vlanRange>
          </PermitVlan-list>
        </permitvlan-items>
      </Role-list>
    </role-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

role name RoleName
vlan policy deny
no permit vlan 3113

Verifying a DME Configuration

MO	DN
aaaUserEp	sys/userext
aaaRole	sys/userext/role-[RoleName]
aaaPermitVlan	sys/userext/role-[RoleName]/permitvlan-[vlan-3113]

aaaRole Properties

Property Name	Data Type	Description	Values
denyVLAN	aaa:Boolean (scalar:Enum8)	Deny all VLAN except allowed ones	SELECTION: 0 - no 1 - yes DEFAULT: no
name	pol:ObjName (naming:Name256)	Object name	MAX SIZE: 64

aaaPermitVlan Properties

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced
vlanRange	base:Encap	Enter the vlan range	SELECTION: unknown, vlan-%d or vxlan-%d

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Feature Name

Configuring a Feature Name

POST http://<mgmt0_IP>/api/mo/sys/userext.json

{
  "aaaUserEp": {
    "children": [
      {
        "aaaRoleFeatureGroup": {
          "attributes": {
            "groupName": "GrpName"
          },
          "children": [
            {
              "aaaFeatureName": {
                "attributes": {
                  "name": "SampleString_123"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <rolefeaturegroup-items>
      <RoleFeatureGroup-list>
        <groupName>GrpName</groupName>
        <featurename-items>
          <FeatureName-list>
            <name>SampleString_123</name>
          </FeatureName-list>
        </featurename-items>
      </RoleFeatureGroup-list>
    </rolefeaturegroup-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

role feature-group name GrpName
feature SampleString_123

Verifying a DME Configuration

MO	DN
aaaUserEp	sys/userext
aaaRoleFeatureGroup	sys/userext/rolefeaturegroup-GrpName
aaaFeatureName	sys/userext/rolefeaturegroup-GrpName/featurename-SampleString_123

aaaRoleFeatureGroup Properties

Property Name	Data Type	Description	Values
groupName	string:Basic	Enter feature-group name	RANGE: [1 , 32]

aaaFeatureName Properties

The following table contains information about the aaaFeatureName properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
name	string:Basic	Enter the feature name	RANGE: [1 , 32]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Feature Name

Deleting a Feature Name

POST http://<mgmt0_IP>/api/mo/sys/userext.json

{
  "aaaUserEp": {
    "children": [
      {
        "aaaRoleFeatureGroup": {
          "attributes": {
            "groupName": "GrpName"
          },
          "children": [
            {
              "aaaFeatureName": {
                "attributes": {
                  "name": "SampleString_123",
                  "status": "deleted"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <rolefeaturegroup-items>
      <RoleFeatureGroup-list>
        <groupName>GrpName</groupName>
        <featurename-items>
          <FeatureName-list nc:operation="delete">
            <name>SampleString_123</name>
          </FeatureName-list>
        </featurename-items>
      </RoleFeatureGroup-list>
    </rolefeaturegroup-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

role feature-group name GrpName
no feature SampleString_123

Verifying a DME Configuration

MO	DN
aaaUserEp	sys/userext
aaaRoleFeatureGroup	sys/userext/rolefeaturegroup-GrpName
aaaFeatureName	sys/userext/rolefeaturegroup-GrpName/featurename-SampleString_123

aaaRoleFeatureGroup Properties

Property Name	Data Type	Description	Values
groupName	string:Basic	Enter feature-group name	RANGE: [1 , 32]

aaaFeatureName Properties

Property Name	Data Type	Description	Values
name	string:Basic	Enter the feature name	RANGE: [1 , 32]
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html