Role-Based Access Control
Overview
The Role-Based Access Control (RBAC) feature in OcNOS allows the creation of custom user roles locally. This provides administrators with the flexibility to define specific groups of commands that can be allowed or denied for each role. Users can then be assigned to these user roles on a per-switch basis or by utilizing a TACACS+ server.
Feature Characteristics
RBAC offers the capability to restrict or permit users from executing CLI commands in OcNOS and command authorization is entirely handled within OcNOS. With Role-Based Command Authorization, administrators can create the following entities:
- Policy
- User Role
- User Name
Policy
A policy is a collection of rules that determine which commands are permitted or denied. The maximum number of policies that can be configured is 20.
User Role
User roles group users together, allowing restrictions to be applied based on the policies associated with the role. When creating a User Role, a default policy should be specified. This default policy determines whether all commands are permitted or denied by default. One or more policies can be attached to a User Role. The maximum number of roles that can be configured is 14.
User Name
Users can be assigned to predefined user roles or customized roles. Some predefined roles include:
- Network-Administrator
- Network-Operator
- Network-Engineer
- Network-User
Multiple users can be assigned the same User Role.
RBAC user accounts will not be deleted when a corresponding RBAC-role is deleted or when the dynamic-RBAC feature is disabled. If an RBAC-user is authenticated but the associated role is not present, the user privilege will default to network-user privilege, and the role will be displayed as RBAC-customized-role in the show users command.
RBAC Bootup Log Access
Allows RBAC users with privilege levels below 15 to execute the show system bootup-log command. The command provides system boot-up information without requiring elevated privileges, ensuring operational users can perform diagnostics while preserving system security.
| • | Applicable to both local and TACACS+ based RBAC users. |
| • | Designed for custom roles with restricted access. |
RBAC users cannot directly run journalctl -b (systemd journal) or read /var/log/boot (OcNOS module boot log file).
Benefits
| • | RBAC ensures secure and controlled access to CLI commands, streamlining network management. |
| • | Provides controlled access to critical boot-up logs for non-admin users. |
| • | Enhances troubleshooting capability for network operators. |
| • | Ensures a consistent and secure mechanism for viewing system start-up information. |
Prerequisites
Ensure there is a supported OcNOS router with management interface access.