User Groups - Cisco CRS-1 - Carrier Routing System Router Configuration Manual

Configuring AAA Services on Cisco IOS XR Software
Secure Domain Router Users
A secure domain router user has restricted access to an SDR as determined by the root-system user or
root SDR user. The secure domain router user performs the day-to-day system and network management
activities. The tasks that the secure domain router user is allowed to perform are determined by the task
IDs associated with the user groups to which the secure domain router user belongs. (See the
Groups"

User Groups

Cisco IOS XR software allows the system administrator to configure groups of users and the job
characteristics that are common in groups of users. Groups must be explicitly assigned to users. Users
are not assigned to groups by default. A user can be assigned to more than one group.
A user group defines a collection of users that share a set of attributes, such as access privileges. Each
user may be associated with one or more user groups. User groups have the following attributes:
•
•
Predefined User Groups
The Cisco IOS XR software provides a collection of user groups whose attributes are already defined.
The predefined groups are as follows:
•
•
•
•
•
•
•
The user group root-system has root system users as the only members. (See the
section.) The root-system user group has predefined authorization; that is, it has the complete
responsibility for root-system user-managed resources and certain responsibilities in other SDRs.
User-Defined User Groups
Administrators can configure their own user groups to meet particular needs.
User Group Inheritance
A user group can derive attributes from another user group. (Similarly, a task group can derive attributes
from another task group). For example, when user group A inherits attributes from user group B, the new
set of task attributes of the user group A is a union of A and B. The inheritance relationship among user
groups is dynamic in the sense that if group A inherits attributes from group B, and change in group B
affects group A, even if the group is not re-inherited explicitly.
OL-20382-01
section.)
List of task groups that define the authorization for the users. All tasks, except cisco-support, are
permitted by default for root system users. (See the
Each user task can be assigned read, write, execute, or debug permission.
cisco-support: This group is used by the Cisco support team.
netadmin: Has the ability to control and monitor all system and network parameters.
operator: A demonstration group with basic privileges.
root-lr: Has the ability to control and monitor the specific secure domain router.
root-system: Has the ability to control and monitor the entire system.
sysadmin: Has the ability to control and monitor all system parameters but cannot configure
network protocols.
serviceadmin: Service administration tasks, for example, Session Border Controller (SBC).
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
Information About Configuring AAA Services
"Root System Users" section.)
"Root System Users"
"User
SC-5