Administrator Guide
The system dened user roles are as follows:
• Network Operator (netoperator) - This user role has no privilege to modify any conguration on the switch. You can access Exec
mode (monitoring) to view the current conguration and status information.
• Network Administrator (netadmin): This user role can congure, display, and debug the network operations on the switch. You
can access all of the commands that are available from the network operator user role. This role does not have access to the
commands that are available to the system security administrator for cryptography operations, AAA, or the commands reserved
solely for the system administrator.
• Security Administrator (secadmin): This user role can control the security policy across the systems that are within a domain or
network topology. The security administrator commands include FIPS mode enablement, password policies, inactivity timeouts,
banner establishment, and cryptographic key operations for secure access paths.
• System Administrator (sysadmin). This role has full access to all the commands in the system, exclusive access to commands
that manipulate the le system formatting, and access to the system shell. This role can also create user IDs and user roles.
The following summarizes the modes that the predened user roles can access.
Role Modes
netoperator
netadmin Exec Cong Interface Router IP Route-map Protocol MAC
secadmin Exec Cong Line
sysadmin Exec Cong Interface Line Router IP Route-map Protocol MAC
User Roles
This section describes how to create a new user role and congure command permissions and contains the following topics.
• Creating a New User Role
• Modifying Command Permissions for Roles
• Adding and Deleting Users from a Role
Creating a New User Role
Instead of using the system dened user roles, you can create a new user role that best matches your organization. When you create
a new user role, you can rst inherit permissions from one of the system dened roles. Otherwise you would have to create a user
role’s command permissions from scratch. You then restrict commands or add commands to that role. For more information about
this topic, see
Modifying Command Permissions for Roles.
NOTE: You can change user role permissions on system pre-dened user roles or user-dened user roles.
Important Points to Remember
Consider the following when creating a user role:
• Only the system administrator and user-dened roles inherited from the system administrator can create roles and user
names. Only the system administrator, security administrator, and roles inherited from these can use the "role" command to
modify command permissions. The security administrator and roles inherited by security administrator can only modify
permissions for commands they already have access to.
• Make sure you select the correct role you want to inherit.
• If you inherit a user role, you cannot modify or delete the inheritance. If you want to change or remove the inheritance, delete the
user role and create it again. If the user role is in use, you cannot delete the user role.
1. Create a new user role
CONFIGURATION mode
Security
703