OcNOS SP : System Management Guide : Authentication Management Configuration : Role-Based Access Control
Role-Based Access Control
Overview
The Role-Based Access Control (RBAC) feature in OcNOS allows the creation of custom user roles locally. This provides administrators with the flexibility to define specific groups of commands that can be allowed or denied for each role. Users can then be assigned to these user roles on a per-switch basis or by utilizing a TACACS+ server.
Feature Characteristics
RBAC offers the capability to restrict or permit users from executing CLI commands in OcNOS and command authorization is entirely handled within OcNOS. With Role-Based Command Authorization, administrators can create the following entities:
Policy
User Role
User Name
Policy
A policy is a collection of rules that determine which commands are permitted or denied. The maximum number of policies that can be configured is 20.
User Role
User roles group users together, allowing restrictions to be applied based on the policies associated with the role. When creating a User Role, a default policy should be specified. This default policy determines whether all commands are permitted or denied by default. One or more policies can be attached to a User Role. The maximum number of roles that can be configured is 14.
User Name
Users can be assigned to predefined user roles or customized roles. Some predefined roles include:
Network-Administrator
Network-Operator
Network-Engineer
Network-User
Multiple users can be assigned the same User Role.
RBAC user accounts will not be deleted when a corresponding RBAC-role is deleted or when the dynamic-RBAC feature is disabled. If an RBAC-user is authenticated but the associated role is not present, the user privilege will default to network-user privilege, and the role will be displayed as RBAC-customized-role in the show users command.
Benefits
RBAC ensures secure and controlled access to CLI commands, streamlining network management.
Prerequisites
Ensure there is a supported OcNOS router with management interface access.
Configuration
Here is the example configurations for the RBAC feature. For TACACS+ configurations, see the TACACS Client Configuration chapter in the System Management guide.
Note: When implemented, users will have visibility into the imposed restrictions through the show running-config command. Additionally, both the configured policy and role specifics can be observed using the show running-config command.
Example 1:
In the provided example, RBAC is employed to define user roles and policies that restrict command access for enhanced security and control. Here is the configuration steps:
OcNOS#show running-config rbac
feature dynamic-rbac
policy p1
permit "enable"
permit "configure terminal"
Permit "snmp-server .*"
role custom
default deny-all
add policy p1
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#username test password Test@123
OcNOS(config)#username test role custom
OcNOS(config)#commit
OcNOS#sh user-account
User:ocnos
roles: network-admin
User:test
roles: custom
The RBAC feature is enabled with the feature dynamic-rbac command.
A policy named p1 is created, allowing specific commands such as enable, configure terminal, and SNMP-related commands.
A custom role called custom is established, with a default action to deny all commands (default deny-all). The previously defined policy p1 is added to this role.
A new user account named test is created with the password Test@123, and the role custom is assigned to this user.
The configuration changes are committed using the commit command.The output indicates that the user test has the custom role, granting specific permissions.
root@debian:~# ssh test@10.12.29.130
test@10.12.29.130's password:
Last login: Tue Aug 23 01:06:31 2022 from 10.12.17.153
 
OcNOS version DELL_S3048-ON-OcNOS-1.3.9.364-ENT_IPBASE-S0-P0 01/21/2022 15:03:56
OcNOS>en
OcNOS#conf t
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#snmp-server community test vrf management -->Allowed
OcNOS(config)#ntp server 1.1.1.1 vrf management -->Not Allowed
% Access restricted for user %
The user test logs into the system via SSH and demonstrates RBAC enforcement by successfully executing permitted SNMP-related commands but encountering an access restriction when attempting an unauthorized command (ntp server).
This example showcases RBAC in action, illustrating how user roles and policies can control command access based on predefined configurations.
Example 2:
In the below example, the user test1 establishes an SSH connection and demonstrates the RBAC setup. As the default action permits all commands except SNMP-related ones, the user is able to execute various configurations, except for snmp-server configurations:
OcNOS#show running-config rbac
feature dynamic-rbac
policy p1
permit "enable"
permit "configure terminal"
permit "snmp-server .*" mode config
policy p2
permit "enable"
permit "configure terminal"
deny "snmp-server .*"
role custom-snmp
default permit-all
add policy p2
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#username test1 password Test@1234
OcNOS(config)#username test1 role custom-snmp
OcNOS(config)#commit
OcNOS#sh user-account
User:ocnos
roles: network-admin
User:test1
roles: custom-snmp
 
root@debian:~# ssh test1@10.12.29.130
test1@10.12.29.130's password:
 
OcNOS version DELL_S3048-ON-OcNOS-1.3.9.364-ENT_IPBASE-S0-P0 01/21/2022 15:03:56
OcNOS>enable
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#ntp server 1.1.1.1 vrf management --> Allowed
OcNOS(config)#snmp-server community test vrf management -->Not Allowed
% Access restricted for user %
 
Implementation Examples
RBAC provides a structured and efficient approach to managing and controlling user access to various resources and functionalities within a system. RBAC is particularly beneficial in scenarios with multiple users with varying levels of permissions and responsibilities. Some common use cases for RBAC include:
Network Security: RBAC enhances network security by restricting users to only the resources and commands they need for their roles, reducing the risk of unauthorized access and potential breaches.
Administrative Efficiency: RBAC simplifies user management by categorizing users into predefined roles and streamlining tasks such as provisioning, access updates, and permissions adjustments.
Regulatory Compliance: RBAC ensures compliance with regulations by enforcing proper access controls and maintaining audit trails, helping organizations meet required standards for data security and privacy.
Reduced Human Error: RBAC minimizes the chance of human errors that could lead to network disruptions or security incidents, as users are limited to the specific commands relevant to their roles.
Access Segmentation: In multi-tenant or multi-customer environments, RBAC facilitates access segmentation, ensuring that different groups can only interact with their designated resources, enhancing isolation and privacy.
New CLI Commands
Here is the compilation of the new commands for configuring RBAC feature. For TACACS+ commands, see the TACACS+ Commands chapter in the System Management guide.
add policy
Use this command to add a policy to a TACACS+ role-based authorization (RBAC) role.
Use the no form of this command to remove a policy from an RBAC role.
Command Syntax
add policy POLICY-NAME
no add policy POLICY-NAME
Parameters
POLICY-NAME
Name of the policy
Default
None
Command Mode
RBAC role mode
Applicability
This command was introduced in OcNOS version 6.4.1.
Examples
The following examples demonstrate the configuration of a role named 'myRole,' defining its default permissions, adding 'myPolicy1' to the role, and subsequently removing 'myPolicy2' from it.
OcNOS(config)#role myRole
OcNOS(config-role)#default permit-all
OcNOS(config-role)#add policy myPolicy1
OcNOS(config-role)#no add policy myPolicy2
OcNOS(config-role)#exit
default
Use this command to set the default rule for a TACACS+ role-based authorization (RBAC) role.
Use the no parameter with this command to remove the default rule for a TACACS+ role-based authorization (RBAC) role.
Command Syntax
default (permit-all | deny-all)
no default
Parameters
permit-all
Permit all commands
deny-all
Deny all commands
Default
Unless this command is explicitly configured, the default rule for a role is deny-all.
Command Mode
RBAC role mode
Applicability
This command was introduced in OcNOS version 6.4.1.
Examples
The below example illustrates the configuration of a role named 'myRole' in OcNOS, and specifying its default permission.
OcNOS(config)#role myRole
OcNOS(config-role)#default permit-all
OcNOS(config-role)#exit
deny
Use this command to add a deny rule to a TACACS+ role-based authorization (RBAC) policy.
Use the no form of this command to remove a deny rule from an RBAC policy.
Command Syntax
deny RULE-STRING (mode MODE-NAME |)
no deny RULE-STRING (mode MODE-NAME |)
Parameters
RULE-STRING
Command string
MODE-NAME
Command prompt string such as “config-router” or “config-if”. Deny access to the command only in this mode.
Default
None
Command Mode
RBAC policy mode
Applicability
This command was introduced in OcNOS version 6.4.1.
Examples
The example below illustrates the configuration of a policy named 'myPolicy' in OcNOS. It includes a deny rule that restricts access to the 'ip address' command, specifically within the configuration interface mode (config-if).
OcNOS#configure terminal
OcNOS(config)#policy myPolicy
OcNOS(config-policy)#deny “ip address” mode config-if
OcNOS(config-policy)#end
feature dynamic-rbac
Use this command to enable the TACACS+ role-based authorization (RBAC) feature.
Use the no form of this command to disable the RBAC feature.
Command Syntax
feature dynamic-rbac
no feature dynamic-rbac
Parameters
None
Default
By default, feature TACACS+ RBAC is disabled.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.4.1.
Examples
The example below illustrates the configuration of enabling the TACACS+ RBAC feature.
OcNOS#configure terminal
OcNOS(config)#feature dynamic-rbac
permit
Use this command to add a permit rule to a TACACS+ role-based authorization (RBAC) policy.
Use the no form of this command to remove a permit rule in an RBAC policy.
Command Syntax
permit RULE-STRING (mode MODE-NAME |)
no permit RULE-STRING (mode MODE-NAME |)
Parameters
RULE-STRING
Command string
MODE-NAME
Command prompt string such as “config-router” or “config-if”. Permit access to the command only in this mode.
Default
None
Command Mode
RBAC policy mode
Applicability
This command was introduced in OcNOS version 6.4.1.
Examples
The following examples demonstrate the configuration of a policy named 'myPolicy', permitting access to the 'ip address' command specifically in the configuration interface mode.
OcNOS#configure terminal
OcNOS(config)#policy myPolicy
OcNOS(config-policy)#permit “ip address” mode config-if
policy
Use this command to create a TACACS+ role-based authorization (RBAC) policy and enter RBAC policy mode.
Use the no form of this command to remove an RBAC policy.
Command Syntax
policy POLICY-NAME
no policy POLICY-NAME
Parameters
POLICY-NAME
Policy name
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.4.1.
Examples
The following examples demonstrate the configuration of creating the RBAC policy named myPolicy, and the command prompt enters the policy configuration mode.
OcNOS#configure terminal
OcNOS(config)#policy myPolicy
OcNOS(config-policy)#exit
role
Use this command to create a TACACS+ role-based authorization (RBAC) role and enter RBAC role mode.
Use the no form of this command to remove an RBAC role.
Command Syntax
role ROLE-NAME
no role ROLE-NAME
Parameters
ROLE-NAME
Role name
User cannot specify one of these roles already defined in OcNOS:
network-admin
network-user
network-operator
network-engineer
For more about these built-in roles, see username.
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.4.1.
Examples
The following examples demonstrate the configuration of creating the RBAC role named 'myRole,' with the command prompt entering the role configuration mode.
OcNOS#configure terminal
OcNOS(config)#role myRole
OcNOS(config-role)#exit
show rbac-policy
Use this command to display TACACS+ role-based authorization (RBAC) policies.
Command Syntax
show rbac-policy (POLICY-NAME |)
Parameters
POLICY-NAME
Policy name
Default
None
Command Mode
Exec and privileged exec mode
Applicability
This command was introduced in OcNOS version 6.4.1.
Examples
The following examples display the show output of the RBAC policy named 'myPolicy' and its associated configurations.
OcNOS#show rbac-policy myPolicy
----------------------------------------------------------------------
Policy Name : myPolicy
permit "ip address" mode config-if
 
show rbac-role
Use this command to display information about TACACS+ role-based authorization (RBAC) roles.
Command Syntax
show rbac-role (ROLE-NAME |)
Parameters
ROLE-NAME
Role name
Default
None
Command Mode
Exec and privileged exec mode
Applicability
This command was introduced in OcNOS version 6.4.1.
Examples
The following examples display the show output of the RBAC role named 'myRole' and its associated configurations.
OcNOS#show rbac-role myRole
----------------------------------------------------------------------
Role Name : myRole
Default rule : permit-all
Attached Policies : myPolicy1
: myPolicy2
 
----------------------------------------------------------------------
Table P‑5-3 explains the output fields.
 
Table 5-3: show rbac-role fields
Entry
Description
Role Name
Displays the name of the role, in this case, myRole.
Default rule
Indicates the default rule associated with the role, which can be permit-all or deny-all.
Attached Policies
Lists the names of policies that are attached to this role. In the example, myPolicy1 and myPolicy2 are attached to myRole.
Troubleshooting
For smooth operation, verify accurate sensor path configuration, check encoding method compatibility, and ensure proper router-management system connectivity.
Abbreviations
The following are some key abbreviations and their meanings relevant to this document:
 
Acronym
Description
RBAC
Role Based Access Control
TACACS
Terminal Access Controller Access Control System
TACACS+
Enhanced version of TACACS
Glossary
The following provides definitions for key terms used throughout this document.
 
Role-Based Access Control (RBAC)
A security paradigm that restricts system access based on roles assigned to users.
User Role
A predefined or customized grouping of permissions assigned to users.
Policy
A set of rules determining which actions are permitted or denied for a specific user role.
Dynamic-RBAC
Dynamic Role-Based Access Control, allowing role assignment during user authentication.