Role-Based Access Control (RBAC)
This feature permits more granular control of management privileges than is provided by the default user accounts, enabling equipment managers to ensure that network administrators can access only those functions necessary to fulfill their functions.
In the RBAC model, each local user account is assigned a role, which defines the commands and permissions available to that user. In ArubaOS-Switch, a device may have as many as 64 roles configured, each with its own rules. The types of roles available are divided into three categories:
Three default roles: operator, manager, and default-security-group
16 system-defined roles: Level-0 to Level-15
45 user roles
The operator and manager roles are as described earlier, and are assigned using the
password operator and
password manager commands, respectively. Users assigned to the default-security-group role are restricted to viewing, copying, and clearing the device security log.
Of the 16 system-defined roles, four are predefined and 12 are user-modifiable. The predefined roles provide the following access and permissions:
Network-Diagnostic (Level-0) can run only basic diagnostic commands, including
ping,tracert,ssh, andtelnet.Network-Operator (Level-1) adds the ability to run
showanddisplaycommands, with the exception ofshow historyanddisplay history.Designated-Administrator (Level-9) can run all commands except user management and authentication commands (for example,
aaa,tacacs,radius,password, and so on).Administrator (Level-15) is identical to the built-in manager role, and can access all commands, features, and policies on the device.
To create a local user and assign it the Administrator role:
switch(config)# aaa authentication local-user localadmin group "Level-15" password plaintext New password for localadmin: ******** Please retype new password for localadmin: ********
For more details, refer to the chapter titled “RBAC” in the ArubaOS-Switch Access Security Guide.