Openconfig-aaa role supports only one role. Should support multiple roles in a list

[apathak1990]

Hi , Currently OC-AAA is defined to support only one role per user : https://github.com/openconfig/public/blob/master/release/models/system/openconfig-aaa.yang#L374

There can be a use-case where a single user can be given multiple roles for network administration . Its seen commonly on the routing/switching devices

for ex: username root group root-lr group sysadmin group netadmin group tac_support

So . , I feel the role leaf should not be a type string and should be a type list not a type string

Please share your views

-Avinash

[aashaikh]

We can look into this. Can you please share the relevant config examples on platforms that support this?

The root user example is a bit odd to me since I would expect that further role specification would be redundant.

[apathak1990]

Hi Anees , Please see this example

username support group netadmin group operator group maintenance group serviceadmin password 7 00170616145419125E731F !

Below are the support options present on the platforms . Also platforms has provision to create customized usergroup which can be associated to a username like below

tac-support tac support personnel maintenance Maintenance group netadmin Network administrators group operator Operator group provisioning Provisioning group retrieve Retrieve group root-lr Root LR group serviceadmin Service administrators group sysadmin System administrators group WORD Name of the user group

-Avinash

[aashaikh]

Thank you for adding the the example for Cisco (IOS-XR?) I was looking more specifically for examples of how this feature is supported on other major (non-Cisco) platforms. That would help us ensure there is some interoperability if we add this to the base model.

[exa-arrcus]

POSIX users can have 1:many user/group relationship however imo for other network access control implementations this is generally a 1:1 relationship between a user and group/role/class where permission definitions are abstracted within that group definition but no more than 1 group bound to any user at a time

e.g. JUNOS/EOS are 1:1 user mapping to a class/role

[github-actions[bot]]

This issue is stale because it has been open 180 days with no activity. If you wish to keep this issue active, please remove the stale label or add a comment, otherwise will be closed in 14 days.