Assigning user roles

You assign access rights to users by assigning a minimum of one user role. The users can use the collection of system items and resources accessible to any user role assigned to them. For example, you can access any interface to use the qos apply policy command if you are assigned the following user roles:

• User role A denies access to the qos apply policy command and permits access only to interface Ten-GigabitEthernet 1/0/1.

• User role B permits access to the qos apply policy command and all interfaces.

Depending on the authentication method, user role assignment has the following methods:

• AAA authorization—If scheme authentication is used, the AAA module handles user role assignment.

  • If the user passes local authorization, the device assigns the user roles specified in the local user account.

  • If the user passes remote authorization, the remote AAA server assigns the user roles specified on the server. The AAA server can be a RADIUS or HWTACACS server.

• Non-AAA authorization—When the user accesses the device without authentication or by passing password authentication, the device assigns user roles specified on the user line. This method also applies to SSH clients that use publickey or password-publickey authentication. User roles assigned to these SSH clients are specified in their respective local device management user accounts.

For more information about AAA and SSH, see Security Configuration Guide. For more information about user line, see "Login overview" and "Logging in to the CLI."