Creating User Roles and Rules
Creating User Roles and Rules
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"aaaUserEp": {
"children": [
{
"aaaRole": {
"attributes": {
"descr": "This role does not allow users to use clear commands",
"name": "UserA"
},
"children": [
{
"aaaRoleRule": {
"attributes": {
"permission": "deny",
"ruleAccess": "read-write",
"ruleNumber": "2"
}}},{
"aaaRoleRule": {
"attributes": {
"cmdStr": "clear users",
"permission": "deny",
"ruleAccess": "command",
"ruleNumber": "1"
}}},{
"aaaRoleRule": {
"attributes": {
"permission": "deny",
"ruleAccess": "read-write",
"ruleNumber": "4",
"ruleScope": "feature-group",
"scopeEntity": "L3"
}}},{
"aaaRoleRule": {
"attributes": {
"permission": "deny",
"ruleAccess": "read-write",
"ruleNumber": "5",
"ruleScope": "oid",
"scopeEntity": "1.3.6.1.2.1.1.9"
}}},{
"aaaRoleRule": {
"attributes": {
"permission": "permit",
"ruleAccess": "read",
"ruleNumber": "3",
"ruleScope": "feature",
"scopeEntity": "router-bgp"
}}}]}}]}}]}}
{
imdata:[]
}
<System>
<userext-items>
<role-items>
<Role-list>
<name>UserA</name>
<descr>This role does not allow users to use clear commands</descr>
<rule-items>
<RoleRule-list>
<ruleNumber>2</ruleNumber>
<permission>deny</permission>
<ruleAccess>read-write</ruleAccess>
</RoleRule-list>
<RoleRule-list>
<ruleNumber>1</ruleNumber>
<cmdStr>clear users</cmdStr>
<permission>deny</permission>
<ruleAccess>command</ruleAccess>
</RoleRule-list>
<RoleRule-list>
<ruleNumber>4</ruleNumber>
<permission>deny</permission>
<ruleAccess>read-write</ruleAccess>
<ruleScope>feature-group</ruleScope>
<scopeEntity>L3</scopeEntity>
</RoleRule-list>
<RoleRule-list>
<ruleNumber>5</ruleNumber>
<permission>deny</permission>
<ruleAccess>read-write</ruleAccess>
<ruleScope>oid</ruleScope>
<scopeEntity>1.3.6.1.2.1.1.9</scopeEntity>
</RoleRule-list>
<RoleRule-list>
<ruleNumber>3</ruleNumber>
<permission>permit</permission>
<ruleAccess>read</ruleAccess>
<ruleScope>feature</ruleScope>
<scopeEntity>router-bgp</scopeEntity>
</RoleRule-list>
</rule-items>
</Role-list>
</role-items>
</userext-items>
</System>
You can configure up to 64 user roles. Each user role can have up to 256 rules. You can assign a user role to more than one user account.
The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
Note: Regardless of the read-write rule configured for a user role, some commands can be executed only through the predefined network-admin role.
Before You Begin
If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed.
Note: This example was added in Release 7.0(3)I7(2).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
role name UserA
description This role does not allow users to use clear commands
rule 1 deny command clear users
rule 2 deny read-write
rule 3 permit read feature router-bgp
rule 4 deny read-write feature-group L3
rule 5 deny read-write oid 1.3.6.1.2.1.1.9
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html