Role-Based Access Control

Overview

The Role-Based Access Control (RBAC) A security paradigm that restricts system access based on roles assigned to users. feature in OcNOS allows the creation of custom user roles locally. This provides administrators with the flexibility to define specific groups of commands that can be allowed or denied for each role. Users can then be assigned to these user roles on a per-switch basis or by utilizing a TACACS Terminal Access Controller Access Control System+ server.

Feature Characteristics

RBAC offers the capability to restrict or permit users from executing CLI commands in OcNOS and command authorization is entirely handled within OcNOS. With Role-Based Command Authorization, administrators can create the following entities:

• Policy A set of rules determining which actions are permitted or denied for a specific user role.
• User Role A predefined or customized grouping of permissions assigned to users.
• User Name

Policy

A policy is a collection of rules that determine which commands are permitted or denied. The maximum number of policies that can be configured is 20.

User Role

User roles group users together, allowing restrictions to be applied based on the policies associated with the role. When creating a User Role, a default policy should be specified. This default policy determines whether all commands are permitted or denied by default. One or more policies can be attached to a User Role. The maximum number of roles that can be configured is 14.

User Name

Users can be assigned to predefined user roles or customized roles. Some predefined roles include:

• Network-Administrator
• Network-Operator
• Network-Engineer
• Network-User

Multiple users can be assigned the same User Role.

RBAC user accounts will not be deleted when a corresponding RBAC-role is deleted or when the dynamic-RBAC feature is disabled. If an RBAC-user is authenticated but the associated role is not present, the user privilege will default to network-user privilege, and the role will be displayed as RBAC-customized-role in the show users command.

Benefits

RBAC ensures secure and controlled access to CLI commands, streamlining network management.

Prerequisites

Ensure there is a supported OcNOS router with management interface access.

RBAC Configuration

Here is the example configurations for the RBAC feature. For TACACS+ configurations, see the TACACS Client Configuration chapter in the System Management guide.

When implemented, users will have visibility into the imposed restrictions through the show running-config command. Additionally, both the configured policy and role specifics can be observed using the show running-config command.

Example 1

In the provided example, RBAC is employed to define user roles and policies that restrict command access for enhanced security and control. Here is the configuration steps:

OcNOS#show running-config rbac
feature dynamic-rbac
policy p1
 permit "enable"
 permit "configure terminal"
 Permit "snmp-server .*"
role custom
 default deny-all
 add policy p1

OcNOS#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
OcNOS(config)#username test password Test@123
OcNOS(config)#username test role custom
OcNOS(config)#commit

OcNOS#sh user-account
User:ocnos
                roles: network-admin
User:test
roles: custom

• The RBAC feature is enabled with the feature dynamic-rbac command.
• A policy named p1 is created, allowing specific commands such as enable, configure terminal, and SNMP-related commands.
• A custom role called custom is established, with a default action to deny all commands (default deny-all). The previously defined policy p1 is added to this role.
• A new user account named test is created with the password Test@123, and the role custom is assigned to this user.

• The configuration changes are committed using the commit command.The output indicates that the user test has the custom role, granting specific permissions.

  Copy

  root@debian:~# ssh test@10.12.29.130
  test@10.12.29.130's password:
  Last login: Tue Aug 23 01:06:31 2022 from 10.12.17.153
   
  OcNOS version DELL_S3048-ON-OcNOS-1.3.9.364-ENT_IPBASE-S0-P0  01/21/2022 15:03:56
  OcNOS>en
  OcNOS#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  OcNOS(config)#snmp-server community test vrf management -->Allowed
  OcNOS(config)#ntp server 1.1.1.1 vrf management      -->Not Allowed
  % Access restricted for user %

• The user test logs into the system via SSH and demonstrates RBAC enforcement by successfully executing permitted SNMP-related commands but encountering an access restriction when attempting an unauthorized command (ntp server).
• This example showcases RBAC in action, illustrating how user roles and policies can control command access based on predefined configurations.

Example 2

In the below example, the user test1 establishes an SSH connection and demonstrates the RBAC setup. As the default action permits all commands except SNMP-related ones, the user is able to execute various configurations, except for snmp-server configurations:

OcNOS#show running-config rbac
feature dynamic-rbac
policy p1
 permit "enable"
 permit "configure terminal"
 permit "snmp-server .*" mode config
policy p2
 permit "enable"
 permit "configure terminal"
 deny "snmp-server .*"
role custom-snmp
 default permit-all
 add policy p2

OcNOS#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
OcNOS(config)#username test1 password Test@1234
OcNOS(config)#username test1 role custom-snmp
OcNOS(config)#commit
OcNOS#show user-account
User:ocnos
                roles: network-admin
User:test1
                roles: custom-snmp
 

root@debian:~# ssh test1@10.12.29.130
test1@10.12.29.130's password:
 
OcNOS version DELL_S3048-ON-OcNOS-1.3.9.364-ENT_IPBASE-S0-P0  01/21/2022 15:03:56
OcNOS>enable
OcNOS#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
OcNOS(config)#ntp server 1.1.1.1 vrf management          --> Allowed
OcNOS(config)#snmp-server community test vrf management  -->Not Allowed
% Access restricted for user %

Implementation Examples

RBAC provides a structured and efficient approach to managing and controlling user access to various resources and functionalities within a system. RBAC is particularly beneficial in scenarios with multiple users with varying levels of permissions and responsibilities. Some common use cases for RBAC include:

Network Security: RBAC enhances network security by restricting users to only the resources and commands they need for their roles, reducing the risk of unauthorized access and potential breaches.

Administrative Efficiency: RBAC simplifies user management by categorizing users into predefined roles and streamlining tasks such as provisioning, access updates, and permissions adjustments.

Regulatory Compliance: RBAC ensures compliance with regulations by enforcing proper access controls and maintaining audit trails, helping organizations meet required standards for data security and privacy.

Reduced Human Error: RBAC minimizes the chance of human errors that could lead to network disruptions or security incidents, as users are limited to the specific commands relevant to their roles.

Access Segmentation: In multi-tenant or multi-customer environments, RBAC facilitates access segmentation, ensuring that different groups can only interact with their designated resources, enhancing isolation and privacy.