Table of Contents
Advertisement
Information About Configuring AAA Services
Task-Based Authorization
AAA employs "task permissions" for any control, configure, or monitor operation through CLI or API.
The Cisco IOS software concept of privilege levels has been replaced in Cisco IOS XR software by a
task-based authorization system.
Task IDs
The operational tasks that enable users to control, configure, and monitor Cisco IOS XR software are
represented by task IDs. A task ID defines the permission to run an operation for a command. Users are
associated with sets of task IDs that define the breadth of their authorized access to the router.
Task IDs are assigned to users through the following means. Each user is associated with one or more
user groups. Every user group is associated with one or more task groups; in turn, every task group is
defined by a set of task IDs. Consequently, a user's association with a particular user group links that
user to a particular set of task IDs. A user that is associated with a task ID can execute any operation
associated with that task ID.
General Usage Guidelines for Task IDs
Every router control, configuration, or monitoring operation (CLI or XML API) is associated with a
particular set of task IDs. A given CLI command or API invocation is associated with at least one or
more task IDs. These associations are hard-coded within the router and may not be modified. Task IDs
grant permission to perform certain tasks; task IDs do not deny permission to perform tasks. Task ID
operations can be one, all, or a combination of classes that are listed in
Table 6
Operation
Read
Write
Execute
Debug
The system verifies that each CLI command and API invocation conforms with the task ID permission
list for the user. If you are experiencing problems using a CLI command, contact your system
administrator.
Multiple task ID operations separated by a slash (for example, read/write) mean that both operations are
applied to the specified task ID.
Multiple task ID operations separated by a comma (for example, read, read/write) mean that both
operations are applied to the respective task IDs. For example, the copy ipv4 access-list command can
have the read and write operations applied to the acl task ID, and the execute operation applied to the
filesystem task ID.
If the task ID and operations columns have none specified, the command is used without previous user
association to a task ID and operation. In addition, users do not need to be associated to task IDs to use
ROM monitor commands.
Cisco IOS XR System Security Configuration Guide
SC-178
Task ID Classes
Description
Specifies a designation that permits only a read operation.
Specifies a designation that permits a change operation and implicitly allows a read
operation.
Specifies a designation that permits an access operation; for example, ping and Telnet.
Specifies a designation that permits a debug operation.
Configuring AAA Services on Cisco IOS XR Software
Table
6.
Hide quick links:
Advertisement
Chapters
Table of Contents
