NxOS and Role Based Authorization

Guys,
Basic setup - using default default user admin I login and no problems - commands such as show mod and config changes, no problem: role =
network-admin
I create a user account with the same role as the admin user and I cannot issue the same commands - permission denied?
Stumped - any ideas what's missing here?
Thanks

Out of desperation, I tried combinations of shorter usernames, similar to the admin username
The result - for whatever reason it seems (I cannot confirm as such) if you use usernames for authentication locally in excess of 8 characters you cannot get full network-admin role privilidges
even though when you do a show user-account, it displays your full username and the correct role.
It seems almost as if the authenticaion element works, but the the role categorisation seems to fail for whatever reason (what I would call authorisation).
Feels like a bug to me, anyway putting it on tacacs tomorrow hopefully with different results
I am running 4.2(1)SV1(4) on an nexus 1000v.  I hope this saves you some time.
Apologies if this is a known issue or "feature" - but I was not aware of it. 

Similar Messages

  • XWS-Security, JAAS and role-based authorization

    What is my best bet to try to authorize users to use certain web services? For example, let's say a user logs into a web application A, who connects to a web application B implementing Web Services and XWSS.
    A passes along the userNameToken, and B authenticates it (let's say, using JAAS). Now it needs to authorize the user to use the actual web service. Can I do this with JAAS? What is the best way to define the policies? Does it mean I have to create PrivilegedActions for every webservice? What are my other alternatives besides JAAS?
    Thanks in advance.

    Alternatively, is there a way to see which web service the client is requesting from the SecurityEnvironmentHandler (callbackHandler)?

  • Custom security JHeadstart 11gTP1 -Use Role-based Authorization is missing

    In JHeadstart 11g TP1 the option Use Role-based Authorization is missing.
    Will this option only be available in de production release of JHeadstart 11g? What is the reason why this is missing? Is it still possible to use CUSTOM authorization in JHeadstart 11g TP1?

    It is not missing.
    If you turn on custom authorization, you can specify your own roles against groups to access them, and use role names in the insert allowed/update allowed and delete allowed expressions.
    Steven Davelaar,
    JHeadstart Team.

  • How to set role based Authorization in JAAS

    how to set role based Authorization in JAAS
    i had user name , password and role in FileLogin
    thanks
    arun .v.

    http://dev2dev.bea.com/pub/a/2003/04/Kemp_Helton.html?page=last

  • Can't use role-based authorization

    We can't use role-based authorization because the permissions
    and their assignments change frequently. Is there any alternative
    where we can still use WLS to handle security?

    Dave,
    If you're using WLS6 the console supports dynamic user updates so you could
    change each users configuration as needed.
    Alex
    Dave <[email protected]> wrote in message
    news:3a672c81$[email protected]..
    >
    We can't use role-based authorization because the permissions
    and their assignments change frequently. Is there any alternative
    where we can still use WLS to handle security?

  • Difference between ID and Role based Administration - Firefighter 5.3

    In GRC AC 5.3 Firefighter, security guide, there are two sections for role design,
    1. Firefighter Role based Administration
    2. Firefighter ID based Administration
    Can someone explain what is the difference between the two?
    I have read the documentation, but it does not have a clear description of the
    differences between the two.
    Please help.
    Thanks

    HI Prakash,
    Though both of them eventually achieve the same function, that is giving access rights to the user for a certain period under monitring these differ based on the following:
    1. Firefighter Role based Administration
    You identlfy a particular role as a firefighter role and give it to the user.
    2. Firefighter ID based Administration
    You create a separate user altogether and give the normal dialog user, the access to this user's authorization.
    For the implication that both of these have and the differences or comparisons between using 1 & 2, I would suggest you do a bit of Mock testing for both of these. Also, there are a lot of posts related to this on the forum already, which you can refer to, for getting a more detailed idea on this topic. Unlimately, it depends on organization to organization which methodology they folow as per what suits them, according to features which both have. But generally what is preferred is Number 2.
    Regards,
    Hersh.

  • Privileges and Roles Based Views

    Hello,
    I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great.  I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view.  I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
    Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!!  fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
    How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
    I hope someone can help with the config:
    Below is the config I use on the 2960's and 3750's and also what I use on the radius servers.  I guess I would need ot use a priv 15 setup and a custom view called priv3?
    Priv3 radius user settings
    cisco av-pair cli-view-name=priv3
    Priv 15 or root user settings
    cisco av-pair shell:priv-lvl=15
    cisco av-pair shell:cli-view-name=root
    Config:
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname 3750
    boot-start-marker
    boot-end-marker
    logging buffered 64000
    logging console informational
    logging monitor informational
    enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
    username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
    username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
    aaa new-model
    aaa authentication login default group radius local
    aaa authentication enable default line
    aaa authorization console
    aaa authorization exec default group radius local
    aaa session-id common
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
    switch 1 provision ws-c3750g-12s
    switch 2 provision ws-c3750g-12s
    system mtu routing 1500
    udld aggressive
    no ip domain-lookup
    ip domain-name CB-DI
    login on-failure log
    login on-success log
    crypto pki trustpoint TP-self-signed-3817403392
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3817403392
    revocation-check none
    rsakeypair TP-self-signed-3817403392
    crypto pki certificate chain TP-self-signed-3817403392
    certificate self-signed 01
      removed
      quit
    archive
    log config
      logging enable
      logging size 200
      notify syslog contenttype plaintext
      hidekeys
    spanning-tree mode rapid-pvst
    spanning-tree extend system-id
    spanning-tree vlan 10 priority 8192
    vlan internal allocation policy ascending
    ip ssh version 2
    interface GigabitEthernet1/0/1
    interface GigabitEthernet1/0/24
    interface Vlan1
    description ***Default VLAN not to be used***
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    interface Vlan10
    description ****
    ip address 10.10.150.11 255.255.255.0
    no ip route-cache
    no ip mroute-cache
    ip default-gateway 10.10.150.1
    ip classless
    no ip http server
    ip http secure-server
    logging trap notifications
    logging facility local4
    logging source-interface Vlan10
    logging 10.10.21.8
    logging 172.23.1.3
    access-list 23 permit 10.10.1.65
    snmp-server community transm1t! RO
    snmp-server trap-source Vlan10
    radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
    radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
    radius-server vsa send accounting
    radius-server vsa send authentication
    line con 0
    exec-timeout 60 0
    logging synchronous
    line vty 0 4
    access-class 23 in
    exec-timeout 60 0
    logging synchronous
    transport input ssh
    line vty 5 14
    access-class 23 in
    no exec
    transport input ssh
    parser view priv3
    secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
    ! Last configuration change at 16:34:56 BST Fri Apr 13 2012
    commands interface include shutdown
    commands interface include no shutdown
    commands interface include no
    commands configure include interface
    commands exec include configure terminal
    commands exec include configure
    commands exec include show ip interface brief
    commands exec include show ip interface
    commands exec include show ip
    commands exec include show arp
    commands exec include show privilege
    commands exec include show interfaces status
    commands exec include show interfaces Vlan10 status
    commands exec include show interfaces Vlan1 status
    commands exec include show interfaces GigabitEthernet2/0/12 status
    commands exec include show interfaces GigabitEthernet2/0/11 status
    commands exec include show interfaces GigabitEthernet2/0/10 status
    commands exec include show interfaces GigabitEthernet2/0/9 status
    commands exec include show interfaces GigabitEthernet2/0/8 status
    commands exec include show interfaces GigabitEthernet2/0/7 status
    commands exec include show interfaces GigabitEthernet2/0/6 status
    commands exec include show interfaces GigabitEthernet2/0/5 status
    commands exec include show interfaces GigabitEthernet2/0/4 status
    commands exec include show interfaces GigabitEthernet2/0/3 status
    commands exec include show interfaces GigabitEthernet2/0/2 status
    commands exec include show interfaces GigabitEthernet2/0/1 status
    commands exec include show interfaces GigabitEthernet1/0/12 status
    commands exec include show interfaces GigabitEthernet1/0/11 status
    commands exec include show interfaces GigabitEthernet1/0/10 status
    commands exec include show interfaces GigabitEthernet1/0/9 status
    commands exec include show interfaces GigabitEthernet1/0/8 status
    commands exec include show interfaces GigabitEthernet1/0/7 status
    commands exec include show interfaces GigabitEthernet1/0/6 status
    commands exec include show interfaces GigabitEthernet1/0/5 status
    commands exec include show interfaces GigabitEthernet1/0/4 status
    commands exec include show interfaces GigabitEthernet1/0/3 status
    commands exec include show interfaces GigabitEthernet1/0/2 status
    commands exec include show interfaces GigabitEthernet1/0/1 status
    commands exec include show interfaces Null0 status
    commands exec include show interfaces
    commands exec include show configuration
    commands exec include show
    commands configure include interface GigabitEthernet1/0/1
    commands configure include interface GigabitEthernet1/0/2
    commands configure include interface GigabitEthernet1/0/3
    commands configure include interface GigabitEthernet1/0/4
    commands configure include interface GigabitEthernet1/0/5
    commands configure include interface GigabitEthernet1/0/6
    commands configure include interface GigabitEthernet1/0/7
    commands configure include interface GigabitEthernet1/0/8
    commands configure include interface GigabitEthernet1/0/9
    commands configure include interface GigabitEthernet1/0/10
    commands configure include interface GigabitEthernet1/0/11
    commands configure include interface GigabitEthernet1/0/12
    commands configure include interface GigabitEthernet2/0/1
    commands configure include interface GigabitEthernet2/0/2
    commands configure include interface GigabitEthernet2/0/3
    commands configure include interface GigabitEthernet2/0/4
    commands configure include interface GigabitEthernet2/0/5
    commands configure include interface GigabitEthernet2/0/6
    commands configure include interface GigabitEthernet2/0/7
    commands configure include interface GigabitEthernet2/0/8
    commands configure include interface GigabitEthernet2/0/9
    commands configure include interface GigabitEthernet2/0/10
    commands configure include interface GigabitEthernet2/0/11
    commands configure include interface GigabitEthernet2/0/12
    ntp logging
    ntp clock-period 36028961
    ntp server 10.10.1.33
    ntp server 10.10.1.34
    end
    Thanks!!!!

    DBelt --
    Hopefully this example suffices.
    Setup
    SQL> CREATE USER test IDENTIFIED BY test;
    User created.
    SQL> GRANT CREATE SESSION TO test;
    Grant succeeded.
    SQL> GRANT CREATE PROCEDURE TO test;
    Grant succeeded.
    SQL> CREATE ROLE test_role;
    Role created.
    SQL> GRANT CREATE SEQUENCE TO test_role;
    Grant succeeded.
    SQL> GRANT test_role TO test;
    logged on as Test
    SQL> CREATE OR REPLACE PACKAGE definer_rights_test
      2  AS
      3          PROCEDURE test_sequence;
      4  END definer_rights_test;
      5  /
    Package created.
    SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
      2  AS
      3          PROCEDURE test_sequence
      4          AS
      5          BEGIN
      6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
      7          END;
      8  END definer_rights_test;
      9  /
    Package body created.
    SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
      2  AUTHID CURRENT_USER
      3  AS
      4          PROCEDURE test_sequence;
      5  END invoker_rights_test;
      6  /
    Package created.
    SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
      2  AS
      3          PROCEDURE test_sequence
      4          AS
      5          BEGIN
      6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
      7          END;
      8  END invoker_rights_test;
      9  /
    Package body created.
    SQL> EXEC definer_rights_test.test_sequence;
    BEGIN definer_rights_test.test_sequence; END;
    ERROR at line 1:
    ORA-01031: insufficient privileges
    ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
    ORA-06512: at line 1
    SQL> EXEC invoker_rights_test.test_sequence;
    PL/SQL procedure successfully completed.
    SQL> SELECT test_seq.NEXTVAL from dual;
                 NEXTVAL
                       1

  • AAA and Role based access (NPS)

    Hi
    I authenticate all my cisco switches and routers with AAA + NPS + AD
    A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
    But I'd like configure role based with IOS view.
    When I issue the enable view command,  I get
    Password:
    I tried with my AD password, enable configurated password, and always gets
    % Authentication failed
    Mi line vty config
    line vty 0 4
    authorization exec VTY-AAA
    login authentication VTY-AAA
    transport input ssh

    Have you gone through the below listed parser view configuration example. Please check here
    View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
    AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
    In case you still have any issues, run debug parser view and share the output, I'll try to help.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • OBIEE SSO enabling and role based reporting

    Hi,
    I had installed SOA10.1.3.1.0 and OBIEE10.1.3.4.0 already on my WINDOWS. I understand that I need to install 10.1.4 infrastructure to enable SSO in OBIEE, can you please tell me what is 10.1.4 infrastructure? is it equivelent to Oracle Identity Management Infrastructure and Oracle Identity Federation 10.1.4? I tried to download this from OTN since last night, but the page is always unaccessible. Where can I download 10.1.4 infrastructure except otn?
    I have another question regarding to the role based reporting with SSO. We want users to see different reports based on their roles once they login. What options do we have to implement this? From my understanding, we need to maintain a user role mapping table in our database, create groups in OBIEE and map the user role with the group in OBIEE? Is it true? Are there other options? Is there a existing product we can use to implement this?
    Thanks,
    Meng

    have a look on page 137 and further http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b31770.pdf

  • Portal and role based access

    We have a requirement to provide role based access to our portal. Employees require full portal access, partners require access to specific applications and resources, while guests should be provided access only to the Internet. People suggested SSL VPN from vendors like Array Networks, Juniper, Portwise etc.
    We are trying to kind of use our portal as a web VPN. Also we wanted to use strong access control.... Are there any ideas other than using SSL VPN's.
    -thanks

    1. You can configure your portal on HTTPS (SSL). That keeps it on secure SSL layer.
    2. Have SSO to distinguish between authenticated_users (logged in users like your employees, partners, etc) and un-authenticated_users (Guest).
    3. Use Groups for translating roles for your users. i.e., Make Groups for your users based on what you called as roles in your message.
    4. Assign access privileges available in portals for pages and portal objects according to your needs to these Groups.
    I dont think VPN will be needed when you are having an extranet-portal (as you hinted internet for guests).
    You can have a darn strong access control using this mechanism.
    hope that helps!
    AMN

  • Role based authorization in initiative

    Hi,
    We can assign default authorization for role types in Projects. For example a the role PM can be assigned Admin auth and the person assigned to PM role gets admin role.
    We want the same functionality in initiatives but it is not working. Has anyone tried DFM or any other method to solve this?
    Thanks and Regards,
    Anuradha

    Hi Anuradha,
    Thanks for the information.
    We are not able to access this note, it says 'Document is not released'. Are you able to view this note.
    Is this customer specific note?
    Regards,
    Ravi

  • BlazeDS role based authorization

    Hi,
    I'm half the way in developing a POC for using flex as the front end of our application and I'm having some security issues.
    I'm using JBoss with JAAS and I figured that using BlazeDS just uses JAAS login module to perform authentication.
    * Will it use JAAS for authorization too? Will EJB method level permission will still apply?
    * How can I use the Subject/Principals/Policies in the client side flex application to inflect some UI restrictions on unauthorized operations?
    Thanks,
    Eyal

    Hey Jiby,
    I already posted this question to the forum http://swforum.sun.com/jive/thread.jspa?threadID=44893&tstart=15 prior to opening this ticket with Sun
    Regards
    Matthew Key

  • Resource Based Authorization sample program and application

    Recently i have studied about the types of authorization and i also did some samples for role based authorization. Now i am looking for Resource based authorization, the sad thing is that i could not able to understand the concept.
    So i am looking for the sample application and C# program. 
    I just want to know the concept of resource based authorization and also the sample application file and c# coding file.
    Please provide me the sample.
    Thanks in Advance. 

    Hi,
    Technet forums are dedicated by technologies. Since you are more looking for concept, you should check for blogs on the Internet (try google...).
    Otherwise please refer to TechNet forums homepage and look for your technology (C# for instance).
    Hope this helps.
    Guillaume Rouyre - MBA, MCP, MCTS

  • OIM 11.1.1.5 provisioning role based objectclasses and attributes

    TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
    Some background:
    I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE.  At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them.  In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'.  ie. Student, Employee, Guest, etc objectclasses.  I have all of the roles identified in OIM and can map them to an objectclass in LDAP
    My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations? 
    Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
    Should I create a child form containing the objectclasses and try to provision them?
    Can/should I create a child form for each set of attributes by role?  Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc.  Would prepop and the rest of the main form functions work the same?
    Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
    Any help will be greatly appreciated and thank you in advance

    It is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
    Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
    There may be a smarter and more out of the box way to do it but this will work.
    Martin

  • Open source role based framework

    We have an application which is using :-
    1) spring framework/j2ee code at the backend
    2) while the front end is comprised of Adobe flex and action script. The app is web based.
    A need of the application at the moment is for a role based authorization framework, based on which a decision can be made as to which widgets/tabs/screens should be visible to the user and which should be hidden from him.
    Wanted to know
    1) if somebody was willing to share some of his experiences on a similar project.
    2) found and existing framework open source or otherwise helpful.
    3) would recommend one architecture over the other
    4) or anything else he would think might be beneficial to know.
    Thanks

    Most app servers have some built in container managed security (for example Tomcat Realms) which may or may not meet your requirements.

Maybe you are looking for