Reference Guide
– min-length number — Enter the minimum number of required alphanumeric characters (6 to 32; default 9).
– character-restriction — Enter a requirement for the alphanumeric characters in a password:
◦ upper number — Minimum number of uppercase characters required (0 to 31; default 0).
◦ lower number — Minimum number of lowercase characters required (0 to 31; default 0).
◦ numeric number — Minimum number of numeric characters required (0 to 31; default 0).
◦ special-char number — Minimum number of special characters required (0 to 31; default 0).
Create password rules
OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2
Display password rules
OS10(config)# do show running-configuration password-attributes
password-attributes min-length 7 character-restriction upper 4 numeric 2
Role-based access control
RBAC provides control for access and authorization. Users are granted permissions based on dened roles — not on their individual system
user ID. Create user roles based on job functions to help users perform their associated job function. You can assign each user only a single
role, and many users can have the same role. When you enter a user role, you are authenticated and authorized. You do not need to enter
an enable password because you are automatically placed in EXEC mode.
OS10 supports the constrained RBAC model. With this model, you can inherit permissions when you create a new user role, restrict or add
commands a user can enter, and set the actions the user can perform. This allows greater exibility when assigning permissions for each
command to each role. Using RBAC is easier and more ecient to administer user rights. If a user’s role matches one of the allowed user
roles for that command, command authorization is granted.
A constrained RBAC model provides separation of duty as well as greater security. A constrained model places some limitations on each
role’s permissions to allow you to partition tasks. Some inheritance is possible. For greater security, only some user roles can view events,
audits, and security system logs.
Assign user role
To limit OS10 system access, assign a role when you congure each user.
• Enter a user name, password, and role in CONFIGURATION mode.
username username password password role role
– username username — Enter a text string (up to 32 alphanumeric characters; 1 character minimum).
– password password — Enter a text string (up to 32 alphanumeric characters; 9 characters minimum).
– role role — Enter a user role:
◦ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the le system, and
access to the system shell. A system administrator can create user IDs and user roles.
◦ secadmin — Full access to conguration commands that set security policy and system access, such as password strength,
AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic
keys, login statistics, and log information.
◦ netadmin — Full access to conguration commands that manage trac owing through the switch, such as routes,
interfaces, and ACLs. A network administrator cannot access conguration commands for security features or view security
information.
◦ netoperator — Access to EXEC mode to view the current conguration. A network operator cannot modify any
conguration setting on a switch.
System management
459