Create User Profiles and Assign Privileges

User profiles and privileges are authentication, authorization, and accounting (AAA) configurations that control access to System Admin configurations on the NCS 1004.

To create user profiles and assign privileges, you must

  • create user profiles with usernames and passwords for authentication,

  • specify command rules that define which commands users can execute,

  • specify data rules that control access to configuration data elements, and

  • apply these rules to user groups.

User authentication and authorization

You can use a username and a password for authentication. On successful authentication, you can execute commands and access data elements that are based on the command rules and data rules. Users who are part of a user group have access privileges to the system as defined in the command rules and data rules for that user group.

Use the show run aaa command in the System Admin Config mode to view existing AAA configurations.

Topics covered in this chapter

This chapter covers these topics:

  • Create a user profile: Create individual user accounts with authentication credentials.

  • Create a user group: Organize users into groups for easier privilege management.

  • Create command rules: Define which commands users can read and execute.

  • Create data rules: Control user access to configuration data elements.

  • Change disaster-recovery username and password: Configure emergency access credentials.

Create a user profile

Users are included in a user group and assigned specific privileges, which provide restricted access to the commands and configurations in the System Admin console.

NCS 1004 supports up to 1,024 user profiles.


Note

System Admin users are different from XR users. Therefore, the username and password of a System Admin user cannot be used to access the XR, and the other way round.

As an XR user, you can access the System Admin by entering the admin command in the XR EXEC mode. NCS 1004 does not prompt you to enter any username and password. As an XR user, you have full access to the System Admin console.

Procedure

Step 1

Enter the admin command to access System Admin EXEC mode.

Example:

RP/0/RP0/CPU0:ios# admin

Step 2

Enter the config command to access System Admin config mode.

Example:

sysadmin-vm:0_RP0# config

Step 3

Enter the aaa authentication users user user_name command to create a new user and enter user configuration mode.

Example:

sysadmin-vm:0_RP0#(config)# aaa authentication users user us1

Step 4

Enter the password password command to specify the user password for user authentication.

Example:

sysadmin-vm:0_RP0#(config-user-us1)# password pwd1

Step 5

Enter the uid user_id_value command to specify the user ID.

Example:

sysadmin-vm:0_RP0#(config-user-us1)# uid 100

Enter any 32-bit integer.

Step 6

Enter the gid group_id_value command to specify the group ID.

Example:

sysadmin-vm:0_RP0#(config-user-us1)# gid 50

Enter any 32-bit integer.

Step 7

Enter the ssh_keydir ssh_keydir command to specify the SSH key directory.

Example:

sysadmin-vm:0_RP0#(config-user-us1)# ssh_keydir dir1

Specify any alphanumeric value.

Step 8

Enter the homedir homedir command to specify the home directory.

Example:

sysadmin-vm:0_RP0#(config-user-us1)# homedir dir2

Specify any alphanumeric value.

Step 9

Enter the commit or end command to save the configuration.

The commit command saves the configuration changes and remains within the configuration session.

The end command prompts you to take one of these actions:

  • Yes: saves configuration changes and exits the configuration session.

  • No: exits the configuration session without committing the configuration changes.

  • Cancel: remains in the configuration session without committing the configuration changes.

What to do next

After creating a user profile, complete these tasks:

  • Create a user group that includes the user profile that is created in this task. See Create a user group for details.

  • Create command rules that apply to the user group. See Create command rules for details.

  • Create data rules that apply to the user group. See Create data rules for details.

Create a user group

NCS 1004 supports up to 32 user groups.

Before you begin

Create a user profile

Procedure

Step 1

Enter the admin command to access System Admin EXEC mode.

Example:

RP/0/RP0/CPU0:ios# admin

Step 2

Enter the config command to access System Admin config mode.

Example:

sysadmin-vm:0_RP0# config

Step 3

Enter the aaa authentication groups group group_name command to create a new user group and enter group configuration mode.

Example:

sysadmin-vm:0_RP0#(config)# aaa authentication groups group gr1

Note

 

The system creates the user group 'root-system' automatically when you create the root user. The root user is a member of this group. Users added to this group receive root user permissions.

Step 4

Enter the users user_name command to specify the name of the user that must be part of the user group.

Example:

sysadmin-vm:0_RP0#(config-group-gr1)# users us1

You can specify multiple usernames that are enclosed within double quotes. For example, users "user1 user2 ...".

Step 5

Enter the gid group_id_value command to specify the group ID.

Example:

sysadmin-vm:0_RP0#(config-group-gr1)# gid 50

Enter any 32-bit integer.

Step 6

Enter the commit or end command to save the configuration.

The commit command saves the configuration changes and remains within the configuration session.

The end command prompts you to take one of these actions:

  • Yes: saves configuration changes and exits the configuration session.

  • No: exits the configuration session without committing the configuration changes.

  • Cancel: remains in the configuration session without committing the configuration changes.

What to do next

After creating a user group, complete these tasks:

Create command rules

Use this procedure to create command rules that control which commands users can read and execute.

Command rules are guidelines you can define for a user group to permit or deny access to specific commands. You can associate command rules with a user group and apply them to all users in that group.

You can create a command rule by specifying whether to permit or deny an operation on a command.

This table lists the possible operation and permission combinations.

Operation Accept permission Reject permission
Read (R) Displays command on the CLI when you enter "?" from the CLI Does not display command on the CLI when you enter "?" from the CLI
Execute (X) Executes command from the CLI Cannot execute command from the CLI
Read and execute (RX) Displays command on the CLI and can execute command Command is not visible or executable from the CLI

Permissions are set to reject by default.

Each command rule is identified by an associated number. When you apply multiple command rules to a user group, the command rule with a lower number takes precedence. For example, cmdrule5 permits read access, while cmdrule10 rejects read access. When both these command rules are applied to the same user group, users in this group get read access because cmdrule 5 takes precedence.

For example, you can create a command rule to deny read and execute permissions for the show platform command.

Before you begin

Create a user group. For details, see Create a user group.

Procedure

Step 1

Enter the admin command to access System Admin EXEC mode.

Example:

RP/0/RP0/CPU0:ios# admin

Step 2

Enter the config command to access System Admin config mode.

Example:

sysadmin-vm:0_RP0# config

Step 3

Enter the aaa authorization cmdrules cmdrule command_rule_number command to create a command rule.

Example:

sysadmin-vm:0_RP0#(config)# aaa authorization cmdrules cmdrule 1100

This command specifies a numeric value as the command rule number. You can enter a 32-bit integer.

Important

 

Do not use numbers 1–1000 because they are reserved by Cisco.

This command creates a new command rule if it does not already exist. It then enters the command rule configuration mode. In this example, command rule 1100 is created.

Note

 

By default, the system creates cmdrule 1 when the root-system user is created. This command rule provides accept permission to read and execute operations for all commands. Therefore, the root user has no restrictions that are imposed on it, unless cmdrule 1 is modified.

Step 4

Enter the command command_name command to specify the command for which permission is controlled.

Example:

sysadmin-vm:0_RP0#(config-cmdrule-1100)# command "show platform"

Entering an asterisk (*) for the command applies the rule to all commands.

Step 5

Enter the ops command to specify the operation for which permission must be set.

Example:

sysadmin-vm:0_RP0#(config-cmdrule-1100)# ops rx

  • r: read

  • x: execute

  • rx: read and execute

Step 6

Enter the action {accept | accept_log | reject} command to specify whether users are permitted or denied the use of the operation.

Example:

sysadmin-vm:0_RP0#(config-cmdrule-1100)# action reject

This command specifies whether users are permitted or denied the use of the operation:

  • accept: Users are permitted to perform the operation.

  • accept_log: Users are permitted to perform the operation and every access attempt is logged.

  • reject: Users are restricted from performing the operation.

Step 7

Enter the group user_group_name command to specify the user group to which the command rule applies.

Example:

sysadmin-vm:0_RP0#(config-cmdrule-1100)# group gr1

Step 8

Enter the context connection_type command to specify the connection type to which this rule applies.

Example:

sysadmin-vm:0_RP0#(config-cmdrule-1100)# context *

The connection type can be netconf (Network Configuration Protocol), cli (Command Line Interface), or xml (Extensible Markup Language). Entering an asterisk (*) applies the command rule to all connection types.

Step 9

Enter the commit or end command to save the configuration.

The commit command saves the configuration changes and remains within the configuration session.

The end command prompts you to take one of these actions:

  • Yes: saves configuration changes and exits the configuration session.

  • No: exits the configuration session without committing the configuration changes.

  • Cancel: remains in the configuration session without committing the configuration changes.

What to do next

Create data rules. See Create data rules for details.

Create data rules

Use this procedure to create data rules that control user access to configuration data elements.

Data rules determine whether users in a user group can access and modify configuration data elements. Data rules are linked to a user group and apply to all users within that group.

Each data rule is identified by an associated number. When a user group has multiple data rules, the rule with the lowest number takes precedence.

To create data rules, you must complete these subtasks:

  1. Configure the data rule parameters

  2. Apply data rule to user group

Before you begin

Create a user group. For details, see Create a user group.

Procedure

Step 1

Configure the data rule parameters. See Configure data rule parameters for details.

Step 2

Apply data rule to user group. See Apply data rule to user group for details.

Configure data rule parameters

Use this procedure to create a data rule and configure its basic parameters.

This is the first subtask for creating data rules. In this subtask, you create the data rule, specify the data element keypath, define the operations, and set the permission action.

Before you begin

Create a user group. For details, see Create a user group.

Procedure

Step 1

Enter the admin command to access the System Admin EXEC mode.

Example:

RP/0/RP0/CPU0:ios# admin

Step 2

Enter the config command to access the System Admin config mode.

Example:

sysadmin-vm:0_RP0# config

Step 3

Enter the aaa authorization datarules datarule data_rule_number command to create a data rule.

Example:

sysadmin-vm:0_RP0#(config)# aaa authorization datarules datarule 1100

This command specifies a numeric value as the data rule number. You can enter a 32-bit integer.

Important

 

Do not use numbers between 1 to 1000 because they are reserved by Cisco.

This command creates a new data rule and enters the data rule configuration mode. In the example, data rule 1100 is created.

Note

 

The system creates data rule 1 by default when the root-system user is created. This data rule provides accept permission to read, write, and execute operations for all the configuration data. As a result, the root user has no restrictions unless data rule 1 is modified.

Step 4

Enter the keypath keypath command to specify the key path of the data element.

Example:

sysadmin-vm:0_RP0#(config-datarule-1100)# keypath /aaa/disaster-recovery

The key path is an expression defining the location of the data element. Entering an asterisk (*) as the keypath makes the command rule apply to all the configuration data.

Step 5

Enter the ops operation command to specify the operation for which permission is set.

Example:

sysadmin-vm:0_RP0#(config-datarule-1100)# ops rw

Use these letters to identify various operations:

  • c: create

  • d: delete

  • u: update

  • w: write (a combination of create, update, and delete)

  • r: read

  • x: execute

Step 6

Enter the action {accept | accept_log | reject} command to specify whether users may perform the operation.

Example:

sysadmin-vm:0_RP0#(config-datarule-1100)# action reject

This command specifies whether to permit or deny users to perform the operation:

  • accept: permit users to perform the operation.

  • accept_log: permit users to perform the operation and log every access attempt.

  • reject: restrict users from performing the operation.

What to do next

Apply the data rule to a user group. For details, see Apply data rule to user group.

Apply data rule to user group

Use this procedure to apply a data rule to a user group and finalize the configuration.

This is the second subtask for creating data rules. In this subtask, you apply the data rule to a user group. You also specify the connection context and namespace, and then commit the configuration.

Before you begin

Configure data rule parameters. For details, see Configure data rule parameters.

Procedure

Step 1

Enter the group user_group_name command to specify the user group to which the data rule applies.

Example:

sysadmin-vm:0_RP0#(config-datarule-1100)# group gr1

You can also specify multiple group names.

Step 2

Enter the context connection_type command to specify the connection type to which this rule applies.

Example:

sysadmin-vm:0_RP0#(config-datarule-1100)# context *

The connection type can be netconf (Network Configuration Protocol), cli (Command Line Interface), or xml (Extensible Markup Language). Enter an asterisk (*), which indicates that the command applies to all connection types.

Step 3

Enter the namespace namespace command to specify the namespace.

Example:

sysadmin-vm:0_RP0#(config-datarule-1100)# namespace *

Enter asterisk * to indicate that the data rule is applicable to all the namespace values.

Step 4

Enter the commit or end command to save the configuration.

The commit command saves the configuration changes and remains within the configuration session.

The end command prompts you to take one of these actions:

  • Yes: saves configuration changes and exits the configuration session.

  • No: exits the configuration session without committing the configuration changes.

  • Cancel: remains in the configuration session without committing the configuration changes.

Change disaster-recovery user name and password

Use this procedure to configure or change the disaster-recovery user name and password for emergency access scenarios.

After you start NCS 1004, define the root-system user name and password. You can use this user name and password for disaster recovery in System Admin mode. You can change the user name and password if needed.

The disaster-recovery user name and password can be used in these scenarios:

  • Access the system when the AAA database is corrupted.

  • Access the system through the management port when the System Admin console is not working.

  • Use the disaster-recovery user name and password in System Admin to create new users if you forget the regular user name and password.

The AAA database is the default source for authentication in System Admin.


Note

You can have only one disaster-recovery user name and password at any time.

Before you begin

Create a user profile. For details, see Create a user profile.

Procedure

Step 1

Enter the admin command to access the System Admin EXEC mode.

Example:

RP/0/RP0/CPU0:ios# admin

Step 2

Enter the config command to access the System Admin config mode.

Example:

sysadmin-vm:0_RP0# config

Step 3

Enter the aaa disaster-recovery username username password password command to specify the disaster-recovery user name and password.

Example:

sysadmin-vm:0_RP0#(config)# aaa disaster-recovery username us1 password pwd1

You must select an existing user as the disaster-recovery user.

In the example, 'us1' is the disaster-recovery user and the password is 'pwd1'. You can enter the password as a plain-text string or as an MD5 digest.

To use the disaster recovery user name, you must enter it as username@localhost.

Step 4

Enter the commit or end command to save the configuration.

The commit command saves the configuration changes and remains within the configuration session.

The end command prompts you to take one of these actions:

  • Yes: saves configuration changes and exits the configuration session.

  • No: exits the configuration session without committing the configuration changes.

  • Cancel: remains in the configuration session without committing the configuration changes.