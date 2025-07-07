Users can define new accounts with one of the available roles and modify the role of existing users as needed.

Copy Copied! admin @nvos :~$ nv set system aaa user new_monitor role monitor

Note The roles of the default accounts (admin and monitor) cannot be changed

In addition to the default roles that NVOS provides, you can create your own roles to restrict authorization, giving you more granular control over what a user can manage on the switch. For example, you can assign a user the role of network manager and provide the user privileges for interface management, service management and system management. When the user logs in and executes an NVUE command, NVUE checks the user privileges and authorizes the user to run that command.

Custom role-based access control consists of the following elements:

Element Description Role A virtual identifier for multiple classes (groups). You can assign only one role for a user. For example, for a user that can manage interfaces, you can create a role called IBMgr . Class A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions. A class consists of: Command paths, which NVOS bases on the objects in the NVUE declarative model and, which are the same as URI paths; for example; you can use the /interface/ command path to allow or deny a user access to all interfaces, or /system/ntp to allow or deny a user access to ntp configuration. Use the tab key to see available command paths ( nv set system aaa class <class-name> command-path / <<press tab>> ).

Permissions for the command paths: ( ro ) to run show commands, ( rw ) to run set, unset, and apply commands, ( act ) to run action commands, or ( all ) to run all commands. The default permission setting is all . Action The action for the class: allow or deny .

Note You can assign a maximum of 64 classes to a role.

You can configure a maximum of 128 command paths for a class.

When you configure a command path, you allow or deny a specific schema path and its children. For example the command path /interface/ allows or denies access to all interface commands, whereas the command path /interface/eth0 allows or denies access to eth0 commands.

The following example describes the permissions for a role ( role1 ) that consists of three classes: class1 , class2 , class3 .

class1 has the allow class action and the following command path permissions:

Command Path Permissions /interface/ all /ib/ ro

class2 has the allow class action and the following command path permissions:

Command Path Permissions /system/ ro /ib/ act /vrf/ rw

class3 has the deny class action and the following command path permissions:

Command Path Permissions /interface/eth0/ ro

The following table shows the permissions for a user assigned the role role1 . In the table, R is read only (RO), W is write, and X is action (ACT).