Outlines user authorization rules, clarifying permission structures for operational and configuration command access within Role-Based Access Control.
The user authorization rules for operational commands are based simply on the username. Any user who is allowed to log in to the Cisco IOS XE Catalyst SD-WAN device can execute most of the operational commands. However, only the admin user can issue commands that affect the fundamental operation of the device, such as installing and upgrading the software and shutting down the device.
Any user can issue the config command to enter configuration mode. In configuration mode, users are allowed to issue any general configuration command. Also, users can configure their passwords using the system aaa user self password password command and then commit the configuration change. For the actual commands that configure device operation, authorization is defined according to user group membership. See User group authorization rules for configuration commands.
This table lists the AAA authorization rules for general CLI commands. All the commands are operational commands except as noted. Also, some commands available to the "admin" user are available only if that user is in the "netadmin" user group.
| CLI Command |
Any User |
Admin User |
|---|---|---|
| clear history |
X |
X |
| commit confirm |
X |
X |
| complete-on-space |
X |
X |
| config |
X |
X |
| exit |
X |
X |
| file |
X |
X |
| help |
X |
X |
| [no] history |
X |
X |
| idle-timeout |
X |
X |
| job |
X |
X |
| logout |
— |
X (users in netadmin group only) |
| monitor |
X |
X |
| nslookup |
X |
X |
| paginate |
X |
X |
| ping |
X (users in netadmin group only) |
X (users in netadmin group only) |
| poweroff |
— |
X(users in netadmin group only) |
| prompt1 |
X |
X |
| prompt2 |
X |
X |
| quit |
X |
X |
| reboot |
— |
X (users in netadmin group only) |
| request aaa request admin-tech request firmware request interface-reset request nms request reset request software |
— |
X (users in netadmin group only) |
| request execute request download request upload |
X |
X |
| request (everything else) |
— |
X |
| rollback (configuration mode command) |
— |
X (users in netadmin group only) |
| screen-length |
X |
X |
| screen-width |
X |
X |
| show cli |
X |
X |
| show configuration commit list |
X |
X |
| show history |
X |
X |
| show jobs |
X |
X |
| show parser dump |
X |
X |
| show running-config |
X |
X |
| show users |
X |
X |
| system aaa user self password password (configuration mode command) (Note: A user cannot delete themselves) |
||
| tcpdump |
X |
X |
| timestamp |
X |
X |
| tools ip-route |
X |
X |
| tools netstat |
X |
X |
| tools nping |
X |
X |
| traceroute |
X |
X |
| vshell |
X (The availability of vshell command is unavailable to all users that are not in netadmin group in Cisco vManage Release 20.9.5.) |
X (The vshell AAA authorized access is limited only to users that are in netadmin group.) |
User group authorization rules for operational commands
This table lists the user group authorization rules for operational commands.
| Operational Command |
Interface |
Policy |
Routing |
Security |
System |
|---|---|---|---|---|---|
| clear app |
X |
||||
| clear app-route |
X |
||||
| clear arp |
X |
||||
| clear bfd |
X |
X |
|||
| clear bgp |
X |
X |
|||
| clear bridge |
X |
||||
| clear cellular |
X |
||||
| clear control |
X |
||||
| clear crash |
X |
||||
| clear dhcp |
X |
||||
| clear dns |
X |
||||
| clear igmp |
X |
||||
| clear installed-certificates |
X |
||||
| clear interface |
X |
||||
| clear ip |
X |
||||
| clear notification |
X |
||||
| clear omp |
X |
||||
| clear orchestrator |
X |
||||
| clear ospf |
X |
||||
| clear pim |
X |
||||
| clear policy |
X |
||||
| clear pppoe |
X |
||||
| clear system |
X |
||||
| clear tunnel |
X |
||||
| clear wlan |
X |
||||
| clear ztp |
X |
X |
|||
| clock |
X |
||||
| debug bgp |
X |
||||
| debug cellular |
X |
||||
| debug cflowd |
X |
||||
| debug chmgr |
X |
||||
| debug config-mgr |
X |
||||
| debug dhcp-client |
X |
||||
| debug dhcp-helper |
X |
||||
| debug dhcp-server |
X |
||||
| debug fpm |
X |
||||
| debug ftm |
X |
||||
| debug igmp |
X |
||||
| debug netconf |
X |
||||
| debug omp |
X |
||||
| debug ospf |
X |
||||
| debug pim |
X |
||||
| debug resolver |
X |
||||
| debug snmp |
X |
||||
| debug sysmgr |
X |
||||
| debug transport |
X |
||||
| debug ttm |
X |
||||
| debug vdaemon |
X |
X |
|||
| debug vrrp |
X |
||||
| debug wlan |
X |
||||
| request certificate |
X |
||||
| request control-tunnel |
X |
||||
| request controller |
X |
||||
| request controller-upload |
X |
||||
| request csr |
X |
||||
| request device |
X |
||||
| request device-upload |
X |
||||
| request on-vbond-controller |
X |
||||
| request port-hop |
X |
||||
| request root-cert-chain |
X |
||||
| request security |
X |
||||
| request vedge |
X |
||||
| request vedge-upload |
X |
||||
| request vsmart-upload |
X |
||||
| show aaa |
X |
||||
| show app |
X |
||||
| show app-route |
X |
||||
| show arp |
X |
||||
| show bfd |
X |
X |
|||
| show bgp |
X |
||||
| show boot-partition |
X |
||||
| show bridge |
X |
||||
| show cellular |
X |
||||
| show certificate |
X |
||||
| show clock |
X |
||||
| show control |
X |
X |
|||
| show crash |
X |
||||
| show debugs—same as debug commands |
|||||
| show dhcp |
X |
||||
| show external-nat |
X |
X |
|||
| show hardware |
X |
||||
| show igmp |
X |
||||
| show interface |
X |
||||
| show ip |
X |
X |
|||
| show ipsec |
X |
||||
| show licenses |
X |
||||
| show logging |
X |
||||
| show multicast |
X |
||||
| show nms-server |
X |
||||
| show notification |
X |
||||
| show ntp |
X |
||||
| show omp |
X |
X |
X |
||
| show orchestrator |
X |
||||
| show ospf |
X |
||||
| show pim |
X |
||||
| show policer |
X |
||||
| show policy |
X |
||||
| show ppp |
X |
||||
| show pppoe |
X |
||||
| show reboot |
X |
||||
| show security-info |
X |
||||
| show software |
X |
||||
| show system |
X |
||||
| show transport |
X |
||||
| show tunnel |
X |
||||
| show uptime |
X |
||||
| show users |
X |
||||
| show version |
X |
||||
| show vrrp |
X |
||||
| show wlan |
X |
||||
| show ztp |
X |
User group authorization rules for configuration commands
This table lists the user group authorization rules for configuration commands.
| Configuration Command |
Interface |
Policy |
Routing |
Security |
System |
|---|---|---|---|---|---|
| apply-policy |
X |
||||
| banner |
X |
||||
| bfd |
X |
X |
|||
| bridge |
X |
||||
| omp |
X |
X |
X |
||
| policy |
X |
||||
| security |
X |
X |
|||
| snmp |
X |
||||
| system |
X |
||||
| vpn interface |
X |
||||
| vpn ip |
X |
||||
| vpn router |
X |
||||
| vpn service |
X |
||||
| vpn (everything else, including creating, deleting, and naming) |
X |
||||
| wlan |
X |