Cisco Nexus 3000 and 9000 Series NX-API REST SDK and API, Release 7.x
NX-OS 7(x)
Creating User Roles and Rules
DME
YANG
Copy
POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "aaaUserEp": {
          "children": [
            {
              "aaaRole": {
                "attributes": {
                  "descr": "This role does not allow users to use clear commands",
                  "name": "UserA"
                },
                "children": [
                  {
                    "aaaRoleRule": {
                      "attributes": {
                        "permission": "deny",
                        "ruleAccess": "read-write",
                        "ruleNumber": "2"
}}},{
                    "aaaRoleRule": {
                      "attributes": {
                        "cmdStr": "clear users",
                        "permission": "deny",
                        "ruleAccess": "command",
                        "ruleNumber": "1"
}}},{
                    "aaaRoleRule": {
                      "attributes": {
                        "permission": "deny",
                        "ruleAccess": "read-write",
                        "ruleNumber": "4",
                        "ruleScope": "feature-group",
                        "scopeEntity": "L3"
}}},{
                    "aaaRoleRule": {
                      "attributes": {
                        "permission": "deny",
                        "ruleAccess": "read-write",
                        "ruleNumber": "5",
                        "ruleScope": "oid",
                        "scopeEntity": "1.3.6.1.2.1.1.9"
}}},{
                    "aaaRoleRule": {
                      "attributes": {
                        "permission": "permit",
                        "ruleAccess": "read",
                        "ruleNumber": "3",
                        "ruleScope": "feature",
                        "scopeEntity": "router-bgp"
}}}]}}]}}]}}

Response
{
    imdata:[]
}

Copy
<System>
  <userext-items>
    <role-items>
      <Role-list>
        <name>UserA</name>
        <descr>This role does not allow users to use clear commands</descr>
        <rule-items>
          <RoleRule-list>
            <ruleNumber>2</ruleNumber>
            <permission>deny</permission>
            <ruleAccess>read-write</ruleAccess>
          </RoleRule-list>
          <RoleRule-list>
            <ruleNumber>1</ruleNumber>
            <cmdStr>clear users</cmdStr>
            <permission>deny</permission>
            <ruleAccess>command</ruleAccess>
          </RoleRule-list>
          <RoleRule-list>
            <ruleNumber>4</ruleNumber>
            <permission>deny</permission>
            <ruleAccess>read-write</ruleAccess>
            <ruleScope>feature-group</ruleScope>
            <scopeEntity>L3</scopeEntity>
          </RoleRule-list>
          <RoleRule-list>
            <ruleNumber>5</ruleNumber>
            <permission>deny</permission>
            <ruleAccess>read-write</ruleAccess>
            <ruleScope>oid</ruleScope>
            <scopeEntity>1.3.6.1.2.1.1.9</scopeEntity>
          </RoleRule-list>
          <RoleRule-list>
            <ruleNumber>3</ruleNumber>
            <permission>permit</permission>
            <ruleAccess>read</ruleAccess>
            <ruleScope>feature</ruleScope>
            <scopeEntity>router-bgp</scopeEntity>
          </RoleRule-list>
        </rule-items>
      </Role-list>
    </role-items>
  </userext-items>
</System>

Creating User Roles and Rules

Creating User Roles and Rules

You can configure up to 64 user roles. Each user role can have up to 256 rules. You can assign a user role to more than one user account.

The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.

Note: Regardless of the read-write rule configured for a user role, some commands can be executed only through the predefined network-admin role.


Before You Begin

If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed.

Note: This example was added in Release 7.0(3)I7(2).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

role name UserA
 description This role does not allow users to use clear commands
 rule 1 deny command clear users
 rule 2 deny read-write
 rule 3 permit read feature router-bgp
 rule 4 deny read-write feature-group L3
 rule 5 deny read-write oid 1.3.6.1.2.1.1.9

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Next