Authorization provides access control. It is the process of assembling a set of attributes that describe what the user is authorized to perform. Based on the user ID and password combination, the user is authenticated and authorized to access the network as per the assigned role. We discuss user roles later in this chapter. You can configure parameters that can prevent unauthorized access by a user, provided the switches use the TACACS+ protocol.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS, TACACS+, and LDAP, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
The following authorization roles exist in all Cisco MDS switches:
Network operator (network-operator): Has permission to view the configuration only. The operator cannot make any configuration changes.
Network administrator (network-admin): Has permission to execute all commands and make configuration changes. The administrator can also create and customize up to 64 additional roles.
Default-role: Has permission to use the GUI (DCNM and Device Manager). This access is automatically granted to all users for accessing the GUI.
server-admin: Predefined system role for server administrators.
These roles cannot be changed or deleted. You can create additional roles and configure the following options:
Configure role-based authorization by assigning user roles locally or using remote AAA servers.
Configure user profiles on a remote AAA server to contain role information. This role information is automatically downloaded and used when the user is authenticated through the remote AAA server.
Note
If a user belongs to only one of the newly created roles and that role is subsequently deleted, the user immediately defaults to the network-operator role.