User Access Privileges; User Groups, Task Groups, And Task Ids - Cisco Router IOS XR Getting Started Manual

Chapter 4 Configuring General Router Features

User Access Privileges

When you log in to the router, your username and password are used to determine if you are authorized
to access the router. After you successfully log in, your username is used to determine which commands
you are allowed to use. The following sections provide information on how the router determines which
commands you can use:
•
•
•

User Groups, Task Groups, and Task IDs

The commands that each user can use are defined by the user groups to which he or she belongs. Within
the Cisco IOS XR software, the commands for a particular feature, such as access control lists, are
assigned to tasks, which are uniquely identified by task IDs. If a user wants to use a particular command,
his or her username must be associated with the appropriate task ID.
The association between a username and a task ID takes place through two intermediate entities, the user
group and task group.
The user group is basically a logical container that can be used to assign the same task IDs to multiple
users. Instead of assigning task IDs to each user, you can assign them to the user group, and then assign
users to the user group. When a task is assigned to a user group, you can define the access rights for the
commands associated with that task. These rights include "read," "write," "execute," and "notify."
The task group is also a logical container, but it is used to group tasks. Instead of assigning task IDs to
each user group, you assign them to a task group, which allows you to quickly enable access to a specific
set of tasks by assigning a task group to a user group.
To summarize the associations, usernames are assigned to user groups, which are then assigned to task
groups. Users can be assigned to multiple user groups, and each user group can be assigned to one or
more task groups. The commands that a user can execute are all those commands assigned to the tasks
within the task groups that are associated with the user groups to which the user belongs.
Users are not assigned to groups by default and must be explicitly assigned by an administrator.
You can display all task IDs available on the system with the show task supported command. For
example:
RP/0/RP0/CPU0:router# show task supported
bgp
ospf
hsrp
isis
route-map
route-policy
static
vrrp
cef
lpts
iep
rib
multicast
mpls-te
mpls-ldp
mpls-static
OL-10957-02
User Groups, Task Groups, and Task IDs, page 4-13
Predefined User Groups, page 4-14
Displaying the User Groups and Task IDs for Your User Account, page 4-14
User Access Privileges
Cisco IOS XR Getting Started Guide
4-13