The command, feature, and feature group parameters create a hierarchical relationship. The most basic control
parameter is the command. The next control parameter is the feature, which represents all commands associated
with the feature. The last control parameter is the feature group. The feature group combines related features
and allows you to easily manage the rules. The Cisco NX-OS software also supports the predefined feature
group L3 that you can use.
You can configure up to 256 rules for each role. The user-specified rule number determines the order in which
the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is
applied before rule 2, which is applied before rule 1.
Licensing Requirements for User Accounts and RBAC
The following table shows the licensing requirements for this feature:
License Requirement
Product
User accounts and RBAC require no license. Any feature not included in a license package
is bundled with the nx-os image and is provided at no extra charge to you. For an explanation
of the Cisco NX-OS licensing scheme, see the
Cisco NX-OS Licensing Guide
.
Cisco NX-OS
Guidelines and Limitations for User Accounts and RBAC
User accounts and RBAC have the following configuration guidelines and limitations:
• You can add up to 256 rules to a user role.
• You can add up to 64 user-defined feature groups in addition to the default feature group, L3.
• You can configure up to 256 users.
• You can assign a maximum of 64 user roles to a user account.
• If you have a user account configured on the local Cisco NX-OS device that has the same name as a
remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local
user account to the remote user, not the user roles configured on the AAA server.
• You cannot delete the default admin and SNMP user accounts.
• You cannot remove the default user roles from the default admin user accounts.
• The network-operator role cannot run the
show running-config
and
show startup-config
commands.
• The Cisco Nexus 9000 Series switches support a single VDC due to which the vdc-admin has the same
privileges and limitations as the network-admin.
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might
differ from the Cisco IOS commands that you would use.
Note
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
158
Configuring User Accounts and RBAC
Licensing Requirements for User Accounts and RBAC