3-39
Cisco IOS XR Getting Started Guide for the Cisco XR 12000 Series Router
OL-24755-01
Chapter 3 Configuring General Router Features
User Access Privileges
User Groups, Task Groups, and Task IDs
The Cisco IOS XR software ensures security by combining tasks a user wants to perform (task IDs) into
groups, defining which router configuration and management functions users can perform. This policy
is enabled by the definition of:
• User groups—Collection of users that share similar authorization rights on a router.
• Task groups—Definition of collection of tasks identified by unique task IDs for each class of action.
• Task IDs—Definition of permission to perform particular tasks; pooled into a task group that is then
assigned to users.
The commands you can perform are defined by the user groups to which you belong. Within the Cisco
IOS XR software, the commands for a particular feature, like access control lists, are assigned to tasks.
Each task is uniquely identified by a task ID. To use a particular command, your username must be
associated with the appropriate task ID.
The association between a username and a task ID takes place through two intermediate entities, the user
group and task group.
The user group is a logical container used to assign the same task IDs to multiple users. Instead of
assigning task IDs to each user, you can assign them to the user group. Then, you can assign users to that
user group. When a task is assigned to a user group, you can define the access rights for the commands
associated with that task. These rights include “read”, “write”, “execute”, and “notify”.
The task group is also a logical container, but it is used to group tasks. Instead of assigning task IDs to
each user group, you assign them to a task group. This allows you to quickly enable access to a specific
set of tasks by assigning a task group to a user group.
To summarize the associations, usernames are assigned to user groups, which are then assigned to task
groups. Users can be assigned to multiple user groups, and each user group can be assigned to one or
more task groups. The commands that a user can execute are all those commands assigned to the tasks
within the task groups that are associated with the user groups to which the user belongs.
Users are not assigned to groups by default and must be explicitly assigned by an administrator.
The following example shows how you can display all task IDs available on the system with the show
task supported command.
RP/0/RP0/CPU0:router# show task supported
bgp
ospf
hsrp
isis
route-map
route-policy
static
vrrp
cef
lpts
iep
rib
multicast
mpls-te
mpls-ldp
mpls-static
ouni
fabric
bundle
network
transport
To Next Page
Loading...
Need help?
General
