===== Login ===== In this chapter, you can find all the available commands to customize login-related features, such as ``users``, ``roles`` or the different mechanisms available to log-in, like ``tacacs`` or ``radius``. Users and roles =============== OSDx allows the creation of new users with different level of privileges. These different levels are called ``roles`` and there are some predefined ones that restrict the most common cases: +----------+-------+--------------------------------------------------------+ | Role | Level | Actions allowed | +==========+=======+========================================================+ | monitor | 0 | Run some basic operational commands (e.g., show tree). | +----------+-------+--------------------------------------------------------+ | operator | 5 | Run almost all operational commands. | +----------+-------+--------------------------------------------------------+ | admin | 15 | Run all commands and access the configuration menu. | +----------+-------+--------------------------------------------------------+ The *level* attribute sets the privilege level of a role. The higher it is, the more privileges a role grants. The maximum level is 15 and it is reserved for the ``admin`` role. The ``admin`` user is configured by default in OSDx and assigned to the ``admin`` role. There must always be at least one user configured with the ``admin`` role. Therefore, if the default ``admin`` user is deleted, a new one has to be created and assigned to the ``admin`` role. Otherwise, the commit process will return a validation error. .. warning:: Please, remember the importance of choosing strong password, specially for those users that are assigned to the ``admin`` role. Apart from the afforementioned roles, new ones can be created by issuing the following command: :osdx:cfg:`system login role * level *`. There can only be one role for a given level; therefore, levels 0, 5 and 15 are forbidden. Users can only be assigned to a single role and whenever that configuration changes, affected sessions are automatically closed to prevent security issues. The *parameters* attribute is for the system login settings, it includes: * *idle-timeout* * *max-auth-tries* * *max-sessions* * *password-prompt-delay* * *unlock-time* * *user-min-length*: the minimum length of the user name ,1 by default. * *no-reuse-passwords*: to configure the history of passwords so that they cannot be repeated when changing the current password, when it is configured, a record is created for each user to store previously used passwords, when a user is deleted, their record is removed too, and when the parameter is deletes, all records are removed. This parameter includes: * *max-age*: to set the maximum number of days passwords should be stored. * *max-passwords*: to set the maximum number of passwords to store, 100 by default. :doc:`Here `, you will find more information about user-levels. .. osdx:cmdtree:: cfg :maxdepth: 2 system login