Task Ids - Cisco CRS-1 - Carrier Routing System Router Configuration Manual

Information About Configuring AAA Services

Task IDs

The operational tasks that enable users to control, configure, and monitor Cisco IOS XR software are
represented by task IDs. A task ID defines the permission to run an operation for a command. Users are
associated with sets of task IDs that define the breadth of their authorized access to the router.
Task IDs are assigned to users through the following means. Each user is associated with one or more
user groups. Every user group is associated with one or more task groups; in turn, every task group is
defined by a set of task IDs. Consequently, a user's association with a particular user group links that
user to a particular set of task IDs. A user that is associated with a task ID can execute any operation
associated with that task ID.
General Usage Guidelines for Task IDs
Most router control, configuration, or monitoring operation (CLI or XML API) is associated with a
particular set of task IDs. Typically, a given CLI command or API invocation is associated with at least
one or more task IDs. Neither the config nor the commit commands require any specific task id
permissions. The configuration and commit operations do not require specific task id permissions (plus
alias also dont require any Task ID permissions). You cannnot perform a config replace unless root-lr
permissions is assigned. If you want to deny getting into configuration mode you can use the TACACS+
command authorization to deny the config command. These associations are hard-coded within the
router and may not be modified. Task IDs grant permission to perform certain tasks; task IDs do not deny
permission to perform tasks. Task ID operations can be one, all, or a combination of classes that are listed
in Table
Table 2
Operation
Read
Write
Execute
Debug
The system verifies that each CLI command and API invocation conforms with the task ID permission
list for the user. If you are experiencing problems using a CLI command, contact your system
administrator.
Multiple task ID operations separated by a slash (for example, read/write) mean that both operations are
applied to the specified task ID.
Multiple task ID operations separated by a comma (for example, read, read/write) mean that both
operations are applied to the respective task IDs. For example, the copy ipv4 access-list command can
have the read and write operations applied to the acl task ID, and the execute operation applied to the
filesystem task ID.
If the task ID and operations columns have none specified, the command is used without previous user
association to a task ID and operation. In addition, users do not need to be associated to task IDs to use
ROM monitor commands.
Users may need to be associated to additional task IDs to use a command if the command is used in a
specific configuration submode. For example, to execute the show redundancy command, a user needs
to be associated to the system (read) task ID and operations as shown in the following example:
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-12
2.
Task ID Classes
Description
Specifies a designation that permits only a read operation.
Specifies a designation that permits a change operation and implicitly allows a read
operation.
Specifies a designation that permits an access operation; for example, ping and Telnet.
Specifies a designation that permits a debug operation.
Configuring AAA Services on Cisco IOS XR Software
OL-20382-01