API Guide
● Levels 2 to 14—Not configured. You can customize these levels for different users and access rights.
Privilege levels inherit the commands supported on all lower levels. After logging in with a user role, a user has access to
commands assigned to his privilege level and lower levels.
For users assigned to the sysadmin, netadmin, and secadmin roles, you cannot configure a privilege level lower than 2. You
can configure netoperator users with privilege levels 0 or 1.
After you assign commands to privilege levels, assign the privilege level to users with the username command. Use the
enable password privilege-level command to switch between privilege levels and access the commands supported
at each level. The disable command takes the user to a lower level.
When a remote user logs in, OS10 checks for a match in the local system. If a local user entry is found, the privilege level of the
local user is applied to the remote user for the login session. If no match is found in the local system, OS10 assigns a default
privilege level according to the role of the remote user:
● sysadmin, secadmin, and netadmin roles: Level 15
● netoperator role: Level 1
NOTE: The role of a local user in the system and the remote user who logs in must be the same at both ends.
Configure privilege levels
To restrict CLI access, create the required privilege levels for user roles, assign commands to each level, and assign privilege
levels to users.
1. Create privilege levels in CONFIGURATION mode.
privilege mode priv-lvl privilege-level command-string
● mode — Enter the privilege mode used to access CLI modes:
○ exec — Accesses EXEC mode.
○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry,
CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes.
○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range,
port-channel, and VLAN modes.
○ route-map — Accesses route-map mode.
○ router — Accesses router-bgp and router-ospf modes.
○ line — Accesses line-vty mode.
● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14.
● command-string — Enter the commands supported at the privilege level.
2. Create a user name, password, and role, and assign a privilege level in CONFIGURATION mode.
username username password password role role priv-lvl privilege-level
● username username — Enter a text string; 32 alphanumeric characters maximum; one character minimum.
● password password — Enter a text string; 32 alphanumeric characters maximum, nine characters minimum.
● role role — Enter a user role:
○ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the file
system, and access to the system shell. A system administrator can create user IDs and user roles.
○ secadmin — Full access to configuration commands that set security policy and system access, such as password
strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such
as cryptographic keys, login statistics, and log information.
○ netadmin — Full access to configuration commands that manage traffic flowing through the switch, such as routes,
interfaces, and ACLs. A network administrator cannot access configuration commands for security features or view
security information.
○ netoperator — Access to EXEC mode to view the current configuration with limited access. A network operator
cannot modify any configuration setting on a switch.
● priv-lvl privilege-level—Enter a privilege level, from 0 to 15. If you do not specify the priv-lvl option, the
system assigns privilege level 1 for the netoperator user and privilege level 15 for the sysadmin, secadmin, and
netadmin users.
1016
Security