system aaa usergroup—Configure groupings of users and assign authorization privileges to the group. Groups define what tasks the group members are authorized to perform on the Viptela device.
If an admin user changes the privileges of a user by changing their group, and if that user is currently logged in to the device, the user is logged out and must log back in again.
vManage Feature Template
For all Viptela devices:
Configuration ► Templates ► AAA
- Group Name
Name of an authentication group. In Releases 17.1 and later, group-name can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters. In Releases 16.3 and earlier, group-name can be 1 to 32 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, and the hyphen (-) and underscore (_) characters. The name cannot contain any uppercase letters.
The Viptela software provides three standard user groups, basic, netadmin, and operator. The user admin is automatically placed in the group netadmin and is the only user in this group. All users learned from a RADIUS or TACACS+ server are placed in the group basic. All users in the basic group have the same permissions to perform tasks, as do all users in the operator group.
The following groups names are reserved, so you cannot configure them: adm, audio, backup, bin, cdrom, dialout, dip, disk, fax, floppy, games, gnats, input, irc, kmem, list, lp, mail, man, news, nogroup, plugdev, proxy, quagga, quaggavty, root, sasl, shadow, src, sshd, staff, sudo, sync, sys, tape, tty, uucp, users, utmp, video, voice, and www-data. Also, group names that start with the string viptela-reserved are reserved.
If a remote server validates authentication but does not specify a user group, the user is placed into the user group basic.
If a remote server validates authentication and specifies a user group (say, X), the user is placed into that user group only. However, if that user is also configured locally and belongs to a user group (say, Y), the user is placed into both the groups (X and Y).
- Tasks Allowed
- task (interface | policy | routing | security | system) (read | write)
Privilege roles that the user group has. Each role allows the group to read or write specific portions of the device's configuration and to execute specific types of operational commands. For details, see the Role-Based Access with AAA article for your software release.
Display the default user groups and their privileges:
vEdge# show running-config system aaa usergroup system aaa usergroup basic task system read write task interface read write ! usergroup netadmin ! usergroup operator task system read task interface read task policy read task routing read task security read ! ! !
Command introduced in Viptela Software Release 14.1.
In Release 15.3, force a user to log out when their permissions are changed.
In Release 17.1, increase maximum group name to 128 characters and support periods (.) in group name.