User Access Privileges; User Groups, Task Groups, And Task Ids - Cisco ASR 9000 Getting Started Manual

Chapter 3 Configuring General Router Features
For example, the following prompt indicates that the CLI commands are executed on the RP in rack 0,
slot RSP0, by the "CPU0" module on a router named "router:"
RP/0/RSP0/CPU0:router#

User Access Privileges

When you log in to the router, your username and password are used to determine if you are authorized
to access the router. After you successfully log in, your username is used to determine which commands
you are allowed to use. The following sections provide information on how the router determines which
commands you can use:
•
•
•

User Groups, Task Groups, and Task IDs

The Cisco IOS XR software ensures security by combining tasks a user wants to perform (task IDs) into
groups, defining which router configuration and management functions users can perform. This policy
is enabled by the definition of:
•
•
•
The commands each user can perform are defined by the user groups to which he or she belongs.
Commands for a particular feature, like access control lists, are assigned to tasks. Each task is uniquely
identified by a task ID. If a user wants to use a particular command, his or her username must be
associated with the appropriate task ID. The association between a username and a task ID takes place
through two intermediate entities, the user group and task group.
The user group is a logical container used to assign the same task IDs to multiple users. Instead of
assigning task IDs to each user, assign them to the user group. Then assign users to that user group. When
a task is assigned to a user group, define the access rights for the commands associated with that task.
These rights include "read," "write," "execute," and "notify."
The task group is also a logical container, but it groups tasks. Instead of assigning task IDs to each user
group, you assign them to a task group. This allows you to quickly enable access to a specific set of tasks
by assigning a task group to a user group. Users are not assigned to groups by default and must be
explicitly assigned by an administrator.
Only root-system users (root-lr users) or users associated with the WRITE:AAA task ID can configure
Note
task groups.
OL-17502-01
F I N A L D R A F T — C i s c o C o n f i d e n t i a l
User Groups, Task Groups, and Task IDs, page 3-7
Predefined User Groups, page 3-8
Viewing Your User Groups and Task IDs, page 3-8
User groups—A collection of users that share similar authorization rights on a router.
Task groups—Defined by a collection of task IDs for each class of action.
Task IDs—Define permission to perform particular tasks; pooled into a task group that is then
assigned to users.
Cisco ASR 9000 Series Aggregation Services Router Getting Started Guide
Logging In to a Router
3-7