Configuring User Roles and Rules

For more information about configuring roles and rules, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-installation-and-configuration-guides-list.html/

Creating User Roles and Rules

You can configure up to 64 user roles. Each user role can have up to 256 rules. You can assign a user role to more than one user account.

The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.

Note: Regardless of the read-write rule configured for a user role, some commands can be executed only through the predefined network-admin role.

Before You Begin

If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed.

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

role name UserA
 description This role does not allow users to use clear commands
 rule 1 deny command clear users
 rule 2 deny read-write
 rule 3 permit read feature router-bgp
 rule 4 deny read-write feature-group L3
 rule 5 deny read-write oid 1.3.6.1.2.1.1.9

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
aaaUserEp	sys/userext
aaaRole	sys/userext/role-{[name]}
aaaRoleRule	sys/userext/role-{[name]}/rule-{ruleNumber}

aaaRole Properties

The following table contains information about the aaaRole properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
descr	pol:Descr	Description of the specified attribute	RANGE: [0 , 128] DEFAULT: new role
name	pol:ObjName (naming:Name256)	Object name	RANGE: [1 , 16]

aaaRoleRule Properties

The following table contains information about the aaaRoleRule properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
permission	aaa:RulePermissionType (scalar:Enum8)	Permission type permit or deny	SELECTION: 0 - none 1 - permit 2 - deny
ruleAccess	aaa:RuleAccessType (scalar:Enum8)	Rule access type command or read or read-write	SELECTION: 0 - none 1 - read 2 - read-write 3 - command
ruleNumber	aaa:RuleNumberType (scalar:Uint32)	Role Rule number	RANGE: [1 , 256]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Enabling IOS Type Privilege Level Support

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

feature privilege

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
fmEntity	sys/fm
fmPrivilege	sys/fm/privilege

fmPrivilege Properties

The following table contains information about the fmPrivilege properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
adminSt	fm:AdminState (scalar:Enum8)	Admin status	SELECTION: 1 - enabled 2 - disabled DEFAULT: disabled

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Disabling IOS Type Privilege Level Support

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

no feature privilege

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
fmEntity	sys/fm
fmPrivilege	sys/fm/privilege

fmPrivilege Properties

The following table contains information about the fmPrivilege properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
adminSt	fm:AdminState (scalar:Enum8)	Admin status	SELECTION: 1 - enabled 2 - disabled DEFAULT: disabled

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Feature-Group Name

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

role feature-group name SampleString_123

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
aaaUserEp	sys/userext
aaaRoleFeatureGroup	sys/userext/rolefeaturegroup-SampleString_123

aaaRoleFeatureGroup Properties

The following table contains information about the aaaRoleFeatureGroup properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
groupName	string:Basic	Enter feature-group name	RANGE: [1 , 32]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Feature-Group Name

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

no role feature-group name SampleString_123

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
aaaUserEp	sys/userext
aaaRoleFeatureGroup	sys/userext/rolefeaturegroup-SampleString_123

aaaRoleFeatureGroup Properties

The following table contains information about the aaaRoleFeatureGroup properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
groupName	string:Basic	Enter feature-group name	RANGE: [1 , 32]
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Range of VLANs Accessible to the Role

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

role name RoleName
  vlan policy deny
   permit vlan 3113

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
aaaUserEp	sys/userext
aaaRole	sys/userext/role-[RoleName]
aaaPermitVlan	sys/userext/role-[RoleName]/permitvlan-[vlan-3113]

aaaRole Properties

The following table contains information about the aaaRole properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
denyVLAN	aaa:Boolean (scalar:Enum8)	Deny all VLAN except allowed ones	SELECTION: 0 - no 1 - yes DEFAULT: no
name	pol:ObjName (naming:Name256)	Object name	MAX SIZE: 64

aaaPermitVlan Properties

The following table contains information about the aaaPermitVlan properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
vlanRange	base:Encap	Enter the vlan range	SELECTION: unknown, vlan-%d or vxlan-%d

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Range of VLANs Accessible to the Role

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

role name RoleName
  vlan policy deny
   no permit vlan 3113

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
aaaUserEp	sys/userext
aaaRole	sys/userext/role-[RoleName]
aaaPermitVlan	sys/userext/role-[RoleName]/permitvlan-[vlan-3113]

aaaRole Properties

The following table contains information about the aaaRole properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
denyVLAN	aaa:Boolean (scalar:Enum8)	Deny all VLAN except allowed ones	SELECTION: 0 - no 1 - yes DEFAULT: no
name	pol:ObjName (naming:Name256)	Object name	MAX SIZE: 64

aaaPermitVlan Properties

The following table contains information about the aaaPermitVlan properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced
vlanRange	base:Encap	Enter the vlan range	SELECTION: unknown, vlan-%d or vxlan-%d

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Feature Name

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

role feature-group name GrpName
  feature SampleString_123

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
aaaUserEp	sys/userext
aaaRoleFeatureGroup	sys/userext/rolefeaturegroup-GrpName
aaaFeatureName	sys/userext/rolefeaturegroup-GrpName/featurename-SampleString_123

aaaRoleFeatureGroup Properties

The following table contains information about the aaaRoleFeatureGroup properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
groupName	string:Basic	Enter feature-group name	RANGE: [1 , 32]

aaaFeatureName Properties

The following table contains information about the aaaFeatureName properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
name	string:Basic	Enter the feature name	RANGE: [1 , 32]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Feature Name

Note: This example was added in Release 9.3(3).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

role feature-group name GrpName
  no feature SampleString_123

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
aaaUserEp	sys/userext
aaaRoleFeatureGroup	sys/userext/rolefeaturegroup-GrpName
aaaFeatureName	sys/userext/rolefeaturegroup-GrpName/featurename-SampleString_123

aaaRoleFeatureGroup Properties

The following table contains information about the aaaRoleFeatureGroup properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
groupName	string:Basic	Enter feature-group name	RANGE: [1 , 32]

aaaFeatureName Properties

The following table contains information about the aaaFeatureName properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
name	string:Basic	Enter the feature name	RANGE: [1 , 32]
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html