You can configure privilege level support for authorization on TACACS+ servers.
Unlike Cisco IOS devices,
which use privilege levels to determine authorization, Cisco NX-OS devices use
role-based access control (RBAC). To enable
both types of devices to be administered by the same TACACS+
servers, you can map the privilege levels configured on TACACS+
servers to user roles configured on Cisco NX-OS
devices.
When a user authenticates with
a TACACS+ server, the privilege level is obtained and used to form
a local user role name of the format “priv-n,” where
n is the privilege level. The user assumes the
permissions of this local role. Sixteen privilege levels, which map directly to corresponding user roles, are available.
The following table shows the user role permissions that correspond to each privilege level.
Privilege Level |
User Role Permissions |
15 |
network-admin permissions |
14 |
vdc-admin permissions |
13 - 1 |
-
Standalone role permissions, if the feature privilege command is disabled.
-
Same permissions as privilege level 0 with cumulative privileges for roles, if the feature privilege command is enabled.
|
0 |
Permission to execute show commands and exec commands (such as ping , trace , and ssh ).
|
Note |
When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.
|