Read-Only Users - ASR9K

From DocWiki

Jump to: navigation, search



To create users on the ASR9K with read-only access, we need to define a task-group with read only privileges, create a user group with that taskgroup, then attach the newly created group to the users.

Create the Taskgroup

These are the tasks the user is allowed to run show commands for. This set is everything.

RP/0/RSP1/CPU0:ASR9000# show run taskgroup taskgroup_read_only
taskgroup taskgroup_read_only
 task read fr
 task read li
 task read aaa
 task read acl
 task read atm
 task read bfd
 task read bgp
 task read cdp
 task read cef
 task read cgn
 task read eem
 task read nps
 task read pbr
 task read ppp
 task read qos
 task read rib
 task read rip
 task read sbc
 task read ancp
 task read bcdl
 task read boot
 task read diag
 task read dwdm
 task read hdlc
 task read hsrp
 task read ipv4
 task read ipv6
 task read isis
 task read lisp
 task read lpts
 task read ospf
 task read ouni
 task read rcmd
 task read snmp
 task read vlan
 task read vpdn
 task read vrrp
 task read admin
 task read eigrp
 task read l2vpn
 task read bundle
 task read crypto
 task read fabric
 task read static
 task read sysmgr
 task read system
 task read tunnel
 task read drivers
 task read logging
 task read monitor
 task read mpls-te
 task read netflow
 task read network
 task read pos-dpt
 task read firewall
 task read mpls-ldp
 task read pkg-mgmt
 task read call-home
 task read fault-mgr
 task read interface
 task read inventory
 task read multicast
 task read route-map
 task read sonet-sdh
 task read transport
 task read ext-access
 task read filesystem
 task read tty-access
 task read config-mgmt
 task read ip-services
 task read mpls-static
 task read route-policy
 task read host-services
 task read basic-services
 task read config-services
 task read ethernet-services

Create the User Group

Taskgroups are applied to user groups. I've created a usergroup called usergroup_read_only

RP/0/RSP1/CPU0:ASR9000# show run usergroup usergroup_read_only
usergroup usergroup_ready_only
 taskgroup taskgroup_read_only

Option 1. Create a Local User

Create a local user, and apply the usergroup.

RP/0/RSP1/CPU0:ASR9000# show run username tyler
username tyler
 group usergroup_read_only
 secret 5 $1$wTwU$CdHKzfRJlJ7kDvJa7NWdi.


Show commands work

RP/0/RSP1/CPU0:ASR9000# show clock
13:42:03.811 UTC Thu Jun 30 2016
RP/0/RSP1/CPU0:ASR9000# show run
Building configuration...
!! IOS XR Configuration 5.1.3
hostname ASR9000

[output omitted]

Configuration Attempts Fail

It isn't possible to block access to configure, but any attempted configure will fail.

A basic configuration like creating a loopback interface fails.

RP/0/RSP1/CPU0:ASR9000# conf t
RP/0/RSP1/CPU0:ASR9000(config)# int loopback 103
% This command is not authorized

I can't remove BGP.

RP/0/RSP1/CPU0:ASR9000# configure     
RP/0/RSP1/CPU0:ASR9000(config)# no router bgp 65530
% This command is not authorized

Check Group Assignment

The user logged in is a member of usergroup_read_only

RP/0/RSP1/CPU0:ASR9000# show user group

Check Task Assignment

This user has access only to READ.

RP/0/RSP1/CPU0:ASR9000# show user tasks 
Task:                  aaa  : READ                             
Task:                  acl  : READ                             
Task:                admin  : READ                             
Task:                 ancp  : READ                             
Task:                  atm  : READ                             
Task:       basic-services  : READ                             
Task:                 bcdl  : READ                             
Task:                  bfd  : READ                             
Task:                  bgp  : READ                             
Task:                 boot  : READ                             
Task:               bundle  : READ                             
Task:            call-home  : READ                             
Task:                  cdp  : READ                             
Task:                  cef  : READ                             
Task:                  cgn  : READ                             
Task:          config-mgmt  : READ                             
Task:      config-services  : READ                             
Task:               crypto  : READ                             
Task:                 diag  : READ                             
Task:              drivers  : READ                             
Task:                 dwdm  : READ                             
Task:                  eem  : READ                             
Task:                eigrp  : READ                             
Task:    ethernet-services  : READ                             
Task:           ext-access  : READ                             
Task:               fabric  : READ                             
Task:            fault-mgr  : READ                             
Task:           filesystem  : READ                             
Task:             firewall  : READ                             
Task:                   fr  : READ                             
Task:                 hdlc  : READ                             
Task:        host-services  : READ                             
Task:                 hsrp  : READ                             
Task:            interface  : READ                             
Task:            inventory  : READ                             
Task:          ip-services  : READ                             
Task:                 ipv4  : READ                             
Task:                 ipv6  : READ                             
Task:                 isis  : READ                             
Task:                l2vpn  : READ                             
Task:                   li  : READ                             
Task:                 lisp  : READ                             
Task:              logging  : READ                             
Task:                 lpts  : READ                             
Task:              monitor  : READ                             
Task:             mpls-ldp  : READ                             
Task:          mpls-static  : READ                             
Task:              mpls-te  : READ                             
Task:            multicast  : READ                             
Task:              netflow  : READ                             
Task:              network  : READ                             
Task:                  nps  : READ                             
Task:                 ospf  : READ                             
Task:                 ouni  : READ                             
Task:                  pbr  : READ                             
Task:             pkg-mgmt  : READ                             
Task:              pos-dpt  : READ                             
Task:                  ppp  : READ                             
Task:                  qos  : READ                             
Task:                 rcmd  : READ                             
Task:                  rib  : READ                             
Task:                  rip  : READ                             
Task:            route-map  : READ                             
Task:         route-policy  : READ                             
Task:                  sbc  : READ                             
Task:                 snmp  : READ                             
Task:            sonet-sdh  : READ                             
Task:               static  : READ                             
Task:               sysmgr  : READ                             
Task:               system  : READ                             
Task:            transport  : READ                             
Task:           tty-access  : READ                             
Task:               tunnel  : READ                             
Task:                 vlan  : READ                             
Task:                 vpdn  : READ                             
Task:                 vrrp  : READ


Support Forums - ASR9000/XR Using Taskgroups and understanding Priv levels and authorization - Xander's Guide

Rating: 0.0/5 (0 votes cast)

Personal tools