Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems A9K24X10GETR manual User Access Privileges, User Groups, Task Groups, and Task IDs

Models: A9KMOD80TR A9K24X10GETR ASR 9000

1 142
Download 142 pages 58.88 Kb
Page 43
Image 43
User Access Privileges

Chapter 3 Configuring General Router Features

Logging In to a Router

F I N A L D R A F T — C i s c o C o n f i d e n t i a l

For example, the following prompt indicates that the CLI commands are executed on the RP in rack 0, slot RSP0, by the “CPU0” module on a router named “router:”

RP/0/RSP0/CPU0:router#

User Access Privileges

When you log in to the router, your username and password are used to determine if you are authorized to access the router. After you successfully log in, your username is used to determine which commands you are allowed to use. The following sections provide information on how the router determines which commands you can use:

User Groups, Task Groups, and Task IDs, page 3-7

Predefined User Groups, page 3-8

Viewing Your User Groups and Task IDs, page 3-8

User Groups, Task Groups, and Task IDs

The Cisco IOS XR software ensures security by combining tasks a user wants to perform (task IDs) into groups, defining which router configuration and management functions users can perform. This policy is enabled by the definition of:

User groups—A collection of users that share similar authorization rights on a router.

Task groups—Defined by a collection of task IDs for each class of action.

Task IDs—Define permission to perform particular tasks; pooled into a task group that is then assigned to users.

The commands each user can perform are defined by the user groups to which he or she belongs. Commands for a particular feature, like access control lists, are assigned to tasks. Each task is uniquely identified by a task ID. If a user wants to use a particular command, his or her username must be associated with the appropriate task ID. The association between a username and a task ID takes place through two intermediate entities, the user group and task group.

The user group is a logical container used to assign the same task IDs to multiple users. Instead of assigning task IDs to each user, assign them to the user group. Then assign users to that user group. When a task is assigned to a user group, define the access rights for the commands associated with that task. These rights include “read,” “write,” “execute,” and “notify.”

The task group is also a logical container, but it groups tasks. Instead of assigning task IDs to each user group, you assign them to a task group. This allows you to quickly enable access to a specific set of tasks by assigning a task group to a user group. Users are not assigned to groups by default and must be explicitly assigned by an administrator.

Note Only root-system users (root-lr users) or users associated with the WRITE:AAA task ID can configure task groups.

Cisco ASR 9000 Series Aggregation Services Router Getting Started Guide

 

OL-17502-01

3-7

 

 

 

Page 42 Page 44
Page 43
Image 43
Cisco Systems A9K24X10GETR User Access Privileges, User Groups, Task Groups, and Task IDs, Predefined User Groups, page
Page 42 Page 44