The Role-Based Access Control (RBAC) feature in OcNOS allows the creation of custom user roles locally. This provides administrators with the flexibility to define specific groups of commands that can be allowed or denied for each role. Users can then be assigned to these user roles on a per-switch basis or by utilizing a TACACS+ server.

RBAC offers the capability to restrict or permit users from executing CLI commands in OcNOS and command authorization is entirely handled within OcNOS. With Role-Based Command Authorization, administrators can create the following entities:

A policy is a collection of rules that determine which commands are permitted or denied. The maximum number of policies that can be configured is 20.

User roles group users together, allowing restrictions to be applied based on the policies associated with the role. When creating a User Role, a default policy should be specified. This default policy determines whether all commands are permitted or denied by default. One or more policies can be attached to a User Role. The maximum number of roles that can be configured is 14.

Users can be assigned to predefined user roles or customized roles. Some predefined roles include:

Multiple users can be assigned the same User Role.

RBAC user accounts will not be deleted when a corresponding RBAC-role is deleted or when the dynamic-RBAC feature is disabled. If an RBAC-user is authenticated but the associated role is not present, the user privilege will default to network-user privilege, and the role will be displayed as RBAC-customized-role in the show users command.

RBAC ensures secure and controlled access to CLI commands, streamlining network management.

Ensure there is a supported OcNOS router with management interface access.

Here is the example configurations for the RBAC feature. For TACACS+ configurations, see the TACACS Client Configuration chapter in the System Management guide, Release 6.4.1.

In the provided example, RBAC is employed to define user roles and policies that restrict command access for enhanced security and control. Here is the configuration steps:

In the below example, the user test1 establishes an SSH connection and demonstrates the RBAC setup. As the default action permits all commands except SNMP-related ones, the user is able to execute various configurations, except for snmp-server configurations:

RBAC provides a structured and efficient approach to managing and controlling user access to various resources and functionalities within a system. RBAC is particularly beneficial in scenarios with multiple users with varying levels of permissions and responsibilities. Some common use cases for RBAC include:

Network Security: RBAC enhances network security by restricting users to only the resources and commands they need for their roles, reducing the risk of unauthorized access and potential breaches.

Administrative Efficiency: RBAC simplifies user management by categorizing users into predefined roles and streamlining tasks such as provisioning, access updates, and permissions adjustments.

Regulatory Compliance: RBAC ensures compliance with regulations by enforcing proper access controls and maintaining audit trails, helping organizations meet required standards for data security and privacy.

Reduced Human Error: RBAC minimizes the chance of human errors that could lead to network disruptions or security incidents, as users are limited to the specific commands relevant to their roles.

Access Segmentation: In multi-tenant or multi-customer environments, RBAC facilitates access segmentation, ensuring that different groups can only interact with their designated resources, enhancing isolation and privacy.

Here is the compilation of the new commands for configuring RBAC feature. For TACACS+ commands, see the TACACS+ chapter in the System Management guide, Release 6.4.1.

Use this command to add a policy to a TACACS+ role-based authorization (RBAC) role.

Use the no form of this command to remove a policy from an RBAC role.

None

RBAC role mode

This command was introduced in OcNOS version 6.4.1.

The following examples demonstrate the configuration of a role named 'myRole,' defining its default permissions, adding 'myPolicy1' to the role, and subsequently removing 'myPolicy2' from it.

Use this command to set the default rule for a TACACS+ role-based authorization (RBAC) role.

Use the no parameter with this command to remove the default rule for a TACACS+ role-based authorization (RBAC) role.

Unless this command is explicitly configured, the default rule for a role is deny-all.

RBAC role mode

This command was introduced in OcNOS version 6.4.1.

The below example illustrates the configuration of a role named 'myRole' in OcNOS, and specifying its default permission.

Use this command to add a deny rule to a TACACS+ role-based authorization (RBAC) policy.

Use the no form of this command to remove a deny rule from an RBAC policy.

None

RBAC policy mode

This command was introduced in OcNOS version 6.4.1.

The example below illustrates the configuration of a policy named 'myPolicy' in OcNOS. It includes a deny rule that restricts access to the 'ip address' command, specifically within the configuration interface mode (config-if).

Use this command to enable the TACACS+ role-based authorization (RBAC) feature.

Use the no form of this command to disable the RBAC feature.

None

By default, feature TACACS+ RBAC is disabled.

Configure mode

This command was introduced in OcNOS version 6.4.1.

The example below illustrates the configuration of enabling the TACACS+ RBAC feature.

Use this command to add a permit rule to a TACACS+ role-based authorization (RBAC) policy.

Use the no form of this command to remove a permit rule in an RBAC policy.

None

RBAC policy mode

This command was introduced in OcNOS version 6.4.1.

The following examples demonstrate the configuration of a policy named 'myPolicy', permitting access to the 'ip address' command specifically in the configuration interface mode.

Use this command to create a TACACS+ role-based authorization (RBAC) policy and enter RBAC policy mode.

Use the no form of this command to remove an RBAC policy.

None

Configure mode

This command was introduced in OcNOS version 6.4.1.

The following examples demonstrate the configuration of creating the RBAC policy named myPolicy, and the command prompt enters the policy configuration mode.

Use this command to create a TACACS+ role-based authorization (RBAC) role and enter RBAC role mode.

Use the no form of this command to remove an RBAC role.

None

Configure mode

This command was introduced in OcNOS version 6.4.1.

The following examples demonstrate the configuration of creating the RBAC role named 'myRole,' with the command prompt entering the role configuration mode.

Use this command to display TACACS+ role-based authorization (RBAC) policies.

None

Exec and privileged exec mode

This command was introduced in OcNOS version 6.4.1.

The following examples display the show output of the RBAC policy named 'myPolicy' and its associated configurations.

Use this command to display information about TACACS+ role-based authorization (RBAC) roles.

None

Exec and privileged exec mode

This command was introduced in OcNOS version 6.4.1.

The following examples display the show output of the RBAC role named 'myRole' and its associated configurations.

Table P‑2-1 explains the output fields.

For smooth operation, verify accurate sensor path configuration, check encoding method compatibility, and ensure proper router-management system connectivity.

The following are some key abbreviations and their meanings relevant to this document:

The following provides definitions for key terms used throughout this document.