Dell Networking SONiC User Role-Based Access Control

Summary: This article explains about Role-Based Access Control in Dell Networking SONiC.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

What is Role-based access control?

Role-based access control (RBAC) provides control for access and authorization. Users are granted permission based on defined roles. The administrator can create user roles that are based on job functions to allow users appropriate system access.

RBAC places limitations on each role’s permissions to allow you to partition tasks.
A user role authenticates and authorizes a user at login and places the user in EXEC mode.
Each user role assigns permissions that determine the commands a user can enter, and the actions a user can perform. RBAC provides an efficient way to administer user rights.



User Roles available in Dell Networking SONiC

Roles Permission
Admin The Admin user has full read/write access to the system. This means it has full access to all show commands, Linux shell, and configuration. 
Operator The operator has only limited read access to the system. This means it has access to some show commands however cannot perform any configuration in the switch.
 
NOTE: From Dell SONiC 4.1, two new user roles are introduced, and the same user can have multiple roles.
 
Roles Permission
Secadmin The secadmin user has access to all security-related commands in the system.
Netadmin The netadmin user has access to the configuration features that manage traffic flowing through the switch.



Configuration Syntax:

Configuration Explanation
admin@DELLSONiC:~$ sonic-cli Enter Dell SONiC CLI
DELLSONiC# configure terminal Enter configuration mode.
DELLSONiC(config)# username <username> password <password> role <admin/operator/secadmin/netadmin> Configure a username, password, and role. 


To verify the role of the user configured, use the command show users configured. This command shows locally configured and remote users which have logged into the switch. The switch will not store remote users password.
 
Sample Output 
DELLSONiC # show users configured
----------------------------------------------------------------------
User                              Role(s)
----------------------------------------------------------------------
admin1                            admin
oper                              operator

From Dell SONiC 4.1, we can configure multiple roles to a single user. Below is an example of how to configure multiple roles to a single user: 
DELLSONiC (config)# username testuser password testuser role operator,netadmin,secadmin
DELLSONiC(config)# exit

DELLSONiC # show users configured
----------------------------------------------------------------------
User                              Role(s)
----------------------------------------------------------------------
testuser                          netadmin,operator,secadmin


 

Example

To explain the user roles, we are creating two users with different roles:

  • User oper is assigned an operator role
  • User admin1 is assigned an admin role

Sample Configuration 
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# username oper password oper role operator
DELLSONiC(config)# username admin1 password admin1 role admin
 


Login with oper which is the Operator role.

NOTE: When logging in as operator, secadmin, or netadmin user, we are placed in Dell Management Framework CLI.

Let us log in to the switch as user oper, who has the operator role. We can use " ? " to see the commands supported in a user role in a specific mode.

Sample output 
sonic login: oper
Password:
Linux sonic 5.10.0-8-2-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
You are on
  ____   ___  _   _ _  ____
/ ___| / _ \| \ | (_)/ ___|
\___ \| | | |  \| | | |
  ___) | |_| | |\  | | |___
|____/ \___/|_| \_|_|\____|

-- Software for Open Networking in the Cloud --

Unauthorized access and/or use are prohibited.
All access and/or use are subject to monitoring.

Help:    http://azure.github.io/SONiC/

sonic# ?
  copy         Perform file operations
  delete       Delete the file from local filesystem
  dir          Show folder contents
  exit         Exit from the CLI
  ls           Show folder contents
  ping         Send ICMP ECHO_REQUEST to network hosts
  ping6        Send ICMPv6 ECHO_REQUEST to network hosts
  show         Display running system information
  terminal     Set terminal settings
  traceroute   Print the route packets take to the host
  traceroute6  Print the route packets take to the IPv6 host
User oper has an operator role. The operator only has read access to the system; hence user oper cannot do any configuration. Also, the operator cannot run all show commands like an admin user.

 
NOTE: On Dell Networking SONiC 4.0.5 and earlier versions, a user with the Operator role could enter configuration mode. But any command performed on configure mode is denied.

Sample Output

Below sample outputs shows that config mode is accessible for a user with operator role in 4.0.5. However the user cannot do any configuration change 
DELLSONiC# show version | grep Soft
Software Version  : 4.0.5-Enterprise_Base

DELLSONiC# configure
DELLSONiC(config)# interface-naming standard 
% Error: Client is not authorized to perform this operation
DELLSONiC(config)# hostname test
% Error: Client is not authorized to perform this operation
DELLSONiC(config)# exit
DELLSONiC# clear logging 
DELLSONiC# show logging count

DELLSONiC# show users
oper     ttyS0        2023-08-02 21:03

 

This behavior is modified in 4.1, where a operator role user is denied from entering configure mode.

DELLSONiC# show version | grep Soft
Software Version  : 4.1.0-Enterprise_Base

DELLSONiC# configure
         ^
% Error: Invalid input detected at "^" marker.

DELLSONiC# show users 
oper ttyS0 2023-08-02 22:10



Login with admin1 which is the Administrator role.

NOTE: When logging as admin user, we are placed in the Linux shell. The prompt is admin@sonic:~$. We have to use the command sonic-cli to access the Dell Management Framework CLI.

Sample Output 
Debian GNU/Linux 10 DELLSONiC ttyS0

DELLSONiC login: admin1
Password: 
admin1@DELLSONiC:~$ sonic-cli
DELLSONiC# show version | grep Soft
Software Version  : 4.0.5-Enterprise_Base

DELLSONiC# show audit-log
Aug 02 21:06:01.052692+00:00 2023 DELLSONiC INFO mgmt-framework#clish[146]: User "admin1" command "startup" status - success
Aug 02 21:05:53.366544+00:00 2023 DELLSONiC INFO login[27960]: pam_unix(login:session): session opened for user admin1 by LOGIN(uid=0)
Aug 02 21:05:46.787657+00:00 2023 DELLSONiC INFO systemd[1]: Stopped Serial Getty on ttyS0.
Aug 02 21:05:46.203662+00:00 2023 DELLSONiC INFO login[4203]: pam_unix(login:session): session closed for user oper
Aug 02 21:05:45.855977+00:00 2023 DELLSONiC INFO mgmt-framework#clish[134]: User "oper" command "exit" status - success
Aug 02 21:05:09.966551+00:00 2023 DELLSONiC INFO mgmt-framework#clish[134]: User "oper" command "show users" status - success
Aug 02 21:04:52.730615+00:00 2023 DELLSONiC INFO mgmt-framework#clish[134]: User "oper" command "show audit-log" status - failure
Aug 02 21:04:46.843617+00:00 2023 DELLSONiC INFO mgmt-framework#clish[134]: User "oper" command "show logging count" status - success
Aug 02 21:04:43.031486+00:00 2023 DELLSONiC INFO mgmt-framework#clish[134]: User "oper" command "clear logging" status - success
Aug 02 21:04:39.074016+00:00 2023 DELLSONiC INFO mgmt-framework#clish[134]: User "oper" command "exit" status - success
Aug 02 21:04:26.504755+00:00 2023 DELLSONiC INFO mgmt-framework#clish[134]: User "oper" command "hostname DeLLSoNiC" status - failure
Aug 02 21:04:11.674915+00:00 2023 DELLSONiC INFO mgmt-framework#clish[134]: User "oper" command "interface-naming standard" status - failure



Login with the wrong credentials:

Now let us log in with the wrong credentials for the admin1 user who has the Administrator role.

Sample Output 
DELLSONiC login: admin1
Password:                            ==========>Wrong password is given

Login incorrect
DELLSONiC login: admin1
Password: 
Last login: Wed Aug  2 21:05:53 UTC 2023 on ttyS0
Linux DELLSONiC 4.19.0-9-2-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
You are on
  ____   ___  _   _ _  ____
/ ___| / _ \| \ | (_)/ ___|
\___ \| | | |  \| | | |
  ___) | |_| | |\  | | |___
|____/ \___/|_| \_|_|\____|

-- Software for Open Networking in the Cloud --

Unauthorized access and/or use are prohibited.
All access and/or use are subject to monitoring.

Help:    http://azure.github.io/SONiC/
**Note the login failure for admin1
admin1@DELLSONiC:~$ sonic-cli

DELLSONiC# show audit-log
Aug 02 21:07:28.896480+00:00 2023 DELLSONiC INFO mgmt-framework#clish[155]: User "admin1" command "startup" status - success
Aug 02 21:07:20.219496+00:00 2023 DELLSONiC INFO login[7169]: pam_unix(login:session): session opened for user admin1 by LOGIN(uid=0)
Aug 02 21:07:12.635575+00:00 2023 DELLSONiC NOTICE login[7169]: FAILED LOGIN (1) on '/dev/ttyS0' FOR 'admin1', Authentication failure
Aug 02 21:07:08.763918+00:00 2023 DELLSONiC NOTICE login[7169]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/ttyS0 ruser= rhost=  user=admin1

Affected Products

Enterprise SONiC Distribution, PowerSwitch E3200-ON Series, Dell EMC Networking N3200-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch Z9100-ON, PowerSwitch Z9264F-ON , PowerSwitch Z9332F-ON, PowerSwitch Z9432F-ON ...
Article Properties
Article Number: 000216535
Article Type: How To
Last Modified: 19 Sep 2023
Version:  8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.