Configuring User Accounts and RBAC
only to configuration operations, and role2 allows access only to debug operations, then users who belong to
both role1 and role2 can access configuration and debug operations. You can also limit access to specific
virtual routing and forwarding instances (VRFs), VLANs, and interfaces.
The Cisco NX-OS software provides the following user roles:
• network-admin—Complete read-and-write access to the entire Cisco NX-OS device
• network-operator or vdc-operator—Complete read access to the entire Cisco NX-OS device
Note
You cannot change the user roles.
Note
Some show commands may be hidden from network-operator users. In addition, some non-show commands
(such as telnet) may be available for this user role.
By default, the user accounts without an administrator role can access only the show, exit, end, and configure
terminal commands. You can add rules to allow users to configure features.
Note
If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles.
Access to a command takes priority over being denied access to a command. For example, suppose a user has
RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has
access to the configuration commands. In this case, the user has access to the configuration commands.
User Role Rules
The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. You
can apply rules for the following parameters:
Command
Feature
Feature group
OID
Note
• The Cisco Nexus 9000 Series switches do not support multiple VDCs;
however, the vdc-operator role is available and has the same privileges and
limitations as the network-operator role.
• The Cisco Nexus 9000 Series switches support a single VDC due to which
the vdc-admin has the same privileges and limitations as the network-admin.
A command or group of commands defined in a regular expression.
A command or group of commands defined in a regular expression.
Default or user-defined group of features.
An SNMP object identifier (OID).
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
User Role Rules
157