=====
Login
=====

In this chapter, you can find all the available commands to
customize login-related features, such as ``users``, ``roles``
or the different mechanisms available to log-in, like ``tacacs``
or ``radius``.


Users and roles
===============

OSDx allows the creation of new users with different level of privileges.
These different levels are called ``roles`` and there are some predefined
ones that restrict the most common cases:


  +----------+-------+--------------------------------------------------------+
  | Role     | Level | Actions allowed                                        |
  +==========+=======+========================================================+
  | monitor  | 0     | Run some basic operational commands (e.g., show tree). |
  +----------+-------+--------------------------------------------------------+
  | operator | 5     | Run almost all operational commands.                   |
  +----------+-------+--------------------------------------------------------+
  | admin    | 15    | Run all commands and access the configuration menu.    |
  +----------+-------+--------------------------------------------------------+

The *level* attribute sets the privilege level of a role. The higher it is, the
more privileges a role grants. The maximum level is 15 and it is reserved for
the ``admin`` role.

The ``admin`` user is configured by default in OSDx and assigned to the
``admin`` role. There must always be at least one user configured with the
``admin`` role. Therefore, if the default ``admin`` user is deleted, a new
one has to be created and assigned to the ``admin`` role. Otherwise, the
commit process will return a validation error.

.. warning:: Please, remember the importance of choosing strong password,
    specially for those users that are assigned to the ``admin`` role.

Apart from the afforementioned roles, new ones can be created by issuing
the following command: :osdx:cfg:`system login role * level *`.

There can only be one role for a given level; therefore, levels 0, 5 and 15
are forbidden.

Users can only be assigned to a single role and whenever that configuration
changes, affected sessions are automatically closed to prevent security issues.

:doc:`Here </articles/system/user-level/index>`, you will find more information about user-levels.

.. osdx:cmdtree:: cfg
  :maxdepth: 2

  system login