CLI Commands for Role-Based Access

CLI Commands for Role-Based Access
show usernames
Reviewing User and Role Assignments
show usernames assignment <all \| alias> // show user assignments, including roles, locks, and lock-shares
show role assignment <all \| alias> // show role's users, assigned ports, description
show port assignment <all, box-id, port-list, slot> // show the roles assigned to a port at each permission level
show port access <all, box-id, slot> // show the roles that can access a port, including any locks and lock-shares in place
Specifying Authentication Methods and Order
aaa authentication login default [list of authentication methods] // authentication methods order (refer to Configuring AAA on page 932).
aaa authorization map order <local-only \| remote-first \| remote-only> // change authorization mode (refer Configuring AAA on page 932)
aaa authorization map default-user <local-user-name> // default mapped user
Creating and Removing Roles
[no] aaa authorization roles role <role_name> // define new role
[no] aaa authorization roles role <role_name> description "role" // define new role with description
Assigning and Removing Roles for Users
[no] username <user_name> roles add <roles separate by space(s)> // Assign roles to an user
no username <user_name> roles all // Remove all user's roles, except the Default role
username <user-name> roles replace <roles separate by space(s)> // Replace current role-set with new role-set
Assigning and Removing Roles and Locks from Ports
[no] port <ids> assign role <role_name> [level 1\|2\|3] // Assign role to port, default is 1
no port <ids> assign role all // Remove all assigned roles from input port(s)
[no] port <ids> lock // Lock a port(s)
[no] port <ids> lock user <username> // Administrator uses to lock ports for another user
[no] port <ids> lock-share user <user name> // Lock owner can use this to share access to port at sharer’s permission level.
no port <ids> lock-share all // remove all lock-shares
[no] port <ids> tool-share role <role> // Assign or remove roles from a port’s tool share list.
Enabling Extra Roles in AAA Servers
[no] tacacs-server extra-user-params roles enable // enable extra roles (refer to Configuring AAA on page 932)
[no] radius-server extra-user-params roles enable
[no] ldap extra-user-params roles enable

show usernames

Reviewing User and Role Assignments

show usernames assignment <all | alias> // show user assignments, including roles, locks, and lock-shares

show role assignment <all | alias> // show role's users, assigned ports, description

show port assignment <all, box-id, port-list, slot> // show the roles assigned to a port at each permission level

show port access <all, box-id, slot> // show the roles that can access a port, including any locks and lock-shares in place

Specifying Authentication Methods and Order

aaa authentication login default [list of authentication methods] // authentication methods order (refer to Configuring AAA on page 932).

aaa authorization map order <local-only | remote-first | remote-only> // change authorization mode (refer Configuring AAA on page 932)

aaa authorization map default-user <local-user-name> // default mapped user

Creating and Removing Roles

[no] aaa authorization roles role <role_name> // define new role

[no] aaa authorization roles role <role_name> description "role" // define new role with description

Assigning and Removing Roles for Users

[no] username <user_name> roles add <roles separate by space(s)> // Assign roles to an user

no username <user_name> roles all // Remove all user's roles, except the Default role

username <user-name> roles replace <roles separate by space(s)> // Replace current role-set with new role-set

Assigning and Removing Roles and Locks from Ports

[no] port <ids> assign role <role_name> [level 1|2|3] // Assign role to port, default is 1

no port <ids> assign role all // Remove all assigned roles from input port(s)

[no] port <ids> lock // Lock a port(s)

[no] port <ids> lock user <username> // Administrator uses to lock ports for another user

[no] port <ids> lock-share user <user name> // Lock owner can use this to share access to port at sharer’s permission level.

no port <ids> lock-share all // remove all lock-shares

[no] port <ids> tool-share role <role> // Assign or remove roles from a port’s tool share list.

Enabling Extra Roles in AAA Servers

[no] tacacs-server extra-user-params roles enable // enable extra roles (refer to Configuring AAA on page 932)

[no] radius-server extra-user-params roles enable

[no] ldap extra-user-params roles enable