Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

usergroup

system aaa usergroup—Configure groupings of users and assign authorization privileges to the group. Groups define what tasks the group members are authorized to perform on the Viptela device.

If an admin user changes the privileges of a user by changing their group, and if that user is currently logged in to the device, the user is logged out and must log back in again.

vManage Feature Template

For all Viptela devices:

Configuration ► Templates ► AAA

Command Hierarchy

systemaaa
     usergroup group-name      
       task (interface | policy | routing | security | system) (read | write)

Options

Group Name
group-name
Name of an authentication group. In Releases 17.1 and later, group-name can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters. In Releases 16.3 and earlier, group-name can be 1 to 32 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, and the hyphen (-) and underscore (_) characters. The name cannot contain any uppercase letters.
The Viptela software provides three standard user groups, basic, netadmin, and operator. The user admin is automatically placed in the group netadmin and is the only user in this group. All users learned from a RADIUS or TACACS+ server are placed in the group basic. All users in the basic group have the same permissions to perform tasks, as do all users in the operator group.
The following groups names are reserved, so you cannot configure them: adm, audio, backup, bin, cdrom, dialout, dip, disk, fax, floppy, games, gnats, input, irc, kmem, list, lp, mail, man, news, nogroup, plugdev, proxy, quagga, quaggavty, root, sasl, shadow, src, sshd, staff, sudo, sync, sys, tape, tty, uucp, users, utmp, video, voice, and www-data. Also, group names that start with the string viptela-reserved are reserved.
If a remote server validates authentication but does not specify a user group, the user is placed into the user group basic.
If a remote server validates authentication and specifies a user group (say, X), the user is placed into that user group only. However, if that user is also configured locally and belongs to a user group (say, Y), the user is placed into both the groups (X and Y).
Tasks Allowed
task (interface | policy | routing | security | system) (read | write)
Privilege roles that the user group has. Each role allows the group to read or write specific portions of the device's configuration and to execute specific types of operational commands. For details, see the Role-Based Access with AAA article for your software release.

Operational Commands

show aaa usergroup
show users

Example

Display the default user groups and their privileges:

vEdge# show running-config system aaa usergroup   
system
 aaa
  usergroup basic
   task system read write
   task interface read write
  !
  usergroup netadmin
  !
  usergroup operator
   task system read
   task interface read
   task policy read
   task routing read
   task security read
  !
 !
!

Release Information

Command introduced in Viptela Software Release 14.1.
In Release 15.3, force a user to log out when their permissions are changed.
In Release 17.1, increase maximum group name to 128 characters and support periods (.) in group name.

Additional Information

See the Configuring User Access and Authentication and Role-Based Access with AAA articles for your software release.
radius
tacacs
user

  • Was this article helpful?