User accounts and roles

Each user must be logged on through an account, and each account is identified by the following configuration parameters:

The following account policies represent the system default configuration. Users with the Security role can change the default policies.

User name

A user name uniquely identifies a single account, according to the account type:

  • Locally managed accounts — The user name must consist of 1 to 64 alphanumeric characters.
  • LDAP-managed accounts — The user name must follow the rules of the Lightweight Directory Access Protocol (LDAP) server.

Role

The role associated with a user account defines the level of access that the user has to the features on this device. For example, Administrators can create accounts, but Observers cannot.

A user with the Security or the Administrator role can assign one of the following roles to a user:

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

The levels of access provided by the roles are cumulative — that is, starting from the most restricted role, access at each successive access level has the preceding level of access plus the additional access afforded by the role, as shown in the following matrix. Throughout this documentation, whenever a product feature or capability is attributed to a role, the feature or capability is also available in the higher access levels.

Roles and access matrix

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

Password

Passwords are initially set by an Administrator and can be updated by the account owner. For security protection, users with the Security role can configure the device to force users to change their passwords the first time they log on. Users with the Security role can also configure the device to expire passwords after a specified period of account inactivity.

Note

Password expiration does not affect the Security account or access to the CLI.

By default, the system applies simple password validation rules. The system checks such passwords only for length (minimum 6 characters).

If your organization requires stronger passwords, the Security role can enable the strict password rule. When the strict password rule is enabled, the system prompts users who try to log on with simple passwords to change their password.

A strict password must have:

  • Minimum of 10 characters
  • Two noncontiguous nonalphabetic characters from the following set:
     0 1 2 3 4 5 6 7 8 9 ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ' | { } ~ `
Examples of strict passwords
  • mypassword — Invalid; does not have nonalphabetic characters
  • pas$$w#rd — Invalid; has too few characters
  • mypa$$w#rd — Valid

A password can also contain a "space" character. All passwords are case sensitive.

Related topics

User-permissions
Creating-a-local-account
Creating-an-LDAP-managed-account
LDAP-accounts

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*