Users Guide

With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted

permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles

they acquire the permissions to perform their associated job function.

This chapter consists of the following sections:

• Conguring Role-based Only AAA Authorization

• System-Dened RBAC User Roles

• Modifying Command Permissions for Roles

• Adding and Deleting Users from a Role

• Role Accounting

• Conguring AAA Authentication for Roles

• Conguring an Accounting for Roles

• Applying an Accounting Method to a Role

• Displaying User Roles

The Dell Networking OS supports the constrained RBAC model. With a constrained RBAC model, you can inherit permissions when

you create a new user role, restrict or add commands a user can enter and the actions the user can perform. This allows for greater

exibility in assigning permissions for each command to each role and as a result, it is easier and much more ecient to administer

A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC

model. Essentially, a constrained model puts some limitations around each role’s permissions to allow you to partition of tasks.

However, some inheritance is possible.

Default command permissions are based on CLI mode (such as congure, interface, router), any specic command settings, and the

permissions allowed by the privilege and role commands. The role command allows you to change permissions based on the role. You

can modify the permissions specic to that command and/or command option. For more information, see Modifying Command

Permissions for Roles .

750