Roles

Role-based administration (RBA) lets you create administrative roles for users. With RBA, an administrator can allow Gaia users to access specified features by including those features in a role and assigning that role to users. Each role can include a combination of administrative (read/write) access to some features, monitoring (read‑only) access to other features, and no access to other features.

You can also specify, which access mechanisms (Gaia Portal, or Gaia Clish) are available to the user.

Note - When users log in to the Gaia Portal, they see only those features, to which they have read-only or read/write access. If they have read-only access to a feature, they can see the settings pages, but cannot change the settings.

Gaia includes these predefined roles:

adminRole - Gives the user read/write access to all features.
monitorRole - Gives the user read-only access to all features.

You cannot delete or change the predefined roles.

Note - Do not define a new user for external users. An external user is one that is defined on an authentication server (such as RADIUS or TACACS) and not on the local Gaia system.

Configuring Roles - Gaia Portal

Roles are defined in the User Management > Roles page of the Gaia Portal.

To see a list of existing roles, select User Management > Roles in the navigation tree.

To add new role:

Step	Description
1	In the navigation tree, click User Management > Roles.
2	Click Add.
3	In the Role Name field, enter the desired name. The role name must start with a letter and can be a combination of letters, numbers and the underscore (_) character.
4	On the Features tab: In the R/W column, click the Ñ icon near the feature you wish to configure in this role and select the permission: None, Read Only, or Read / Write. Important - A user with Read/Write permission to the User Management feature can change a user password, including that of the admin user. Be careful when assigning roles that include this permission. See the List of available Features in roles.
5	On the Extended Commands tab: Select the commands you wish to configure in this role. To select several commands: Press and hold the Ctrl key on the keyboard. Left-click the applicable commands (in the Name, Description, or Path column). The selected commands become highlighted. In the top right corner, select the option Check selected as. The checkboxes of the selected commands become checked. To clear several selected commands: Press and hold the Ctrl key on the keyboard. Left-click the applicable commands (in the Name, Description, or Path column). The selected commands become highlighted. In the top right corner, clear the option Check selected as. The checkboxes of the selected commands become cleared. See the List of available Extended Commands in roles.
6	Click OK.

To change features and commands in an existing role:

Step	Description
1	In the navigation tree, click User Management > Roles.
2	Select the role.
3	Click Edit.
4	On the Features tab: In the R/W column, click the Ñ icon near the feature you wish to configure in this role and select the permission: None, Read Only, or Read / Write. Important - A user with Read/Write permission to the User Management feature can change a user password, including that of the admin user. Be careful when assigning roles that include this permission
5	On the Extended Commands tab: Select the commands you wish to configure in this role. To select several commands: Press and hold the Ctrl key on the keyboard. Left-click the applicable commands (in the Name, Description, or Path column). The selected commands become highlighted. In the top right corner, select the option Check selected as. The checkboxes of the selected commands become checked. To clear several selected commands: Press and hold the Ctrl key on the keyboard. Left-click the applicable commands (in the Name, Description, or Path column). The selected commands become highlighted. In the top right corner, clear the option Check selected as. The checkboxes of the selected commands become cleared.
6	Click OK.

To delete a role:

Step	Description
1	In the navigation tree, click User Management > Roles.
2	Select the role.
3	Click Delete.
4	Click OK to confirm.

Note - You cannot delete the adminRole, or monitorRole default roles.

To assign users to a role:

Step	Description
1	In the navigation tree, click User Management > Roles.
2	Select the role.
3	Click Assign Members.
4	In the Available Users list, left-click the user you wish to add to the role. To select several users: Press and hold the Ctrl key on the keyboard. Left-click the applicable commands. The selected users become highlighted.
5	Click Add >. The selected users move to the Users with Role list.
6	Click OK.

To remove users from a role:

Step	Description
1	In the navigation tree, click User Management > Roles.
2	Select the role.
3	Click Assign Members.
4	In the Users with Role list, left-click the user you wish to remove from the role. To select several users: Press and hold the Ctrl key on the keyboard. Left-click the applicable commands. The selected users become highlighted.
5	Click Remove >. The selected users move to the Available Users list.
6	Click OK.

Note - You can assign a user to many roles from the Users page.

Configuring Roles - Gaia Clish

Description

Add, change, or delete roles.
Add or remove users to or from existing roles.
Add or remove access mechanism permissions for a specified user.

Syntax

To add an RBA role:
add rba role <New Role Name> domain-type System

all-features

readonly-features <List of RO Features>

readwrite-features <List of RW Features>}

Note - You can add readonly-features and readwrite-features in the same command.
To choose which VSX Virtual Systems this role can access:
add rba role <Existing Role Name>

virtual-system-access 0

virtual-system-access all

virtual-system-access VSID1,VSID2,...,VSIDn
To assign Gaia access mechanisms to a user:
add rba user <User Name>

access-mechanisms Web-UI

access-mechanisms CLI

access-mechanisms Web-UI,CLI
To assign an RBA role to a user:
add rba user <User Name> roles <Role1,Role2,...,RoleN>
To delete an entire RBA role:
delete rba role <Role Name>
To delete features from an RBA role:
delete rba role <Role Name>

readonly-features <List of RO Features>

readwrite-features <List of RW Features>

Note - You can delete readonly-features and readwrite-features in the same command.
To remove Gaia access mechanisms from a user:
delete rba user <User Name>

access-mechanisms Web-UI

access-mechanisms CLI

access-mechanisms Web-UI,CLI
To remove an RBA role from a user:
delete rba user <User Name> roles <Role1,Role2,...,RoleN>

Parameters

Parameter	Description
`role <`Role Name`>`	Role name as a character string that contains letters, numbers or the underscore (_) character. The role name must start with a letter.
`domain-type System`	Reserved for future use.
`virtual-system-access {0 \| all \|` VSID1`,`VSID2`,...,`VSIDn`}`	Specifies which VSX Virtual Systems this role can access: `0` - Access only to VSX itself (VS0). `all` - Access to allVirtual Systems. `VSID1,VSID2,...,VSIDn` - Access only to specified Virtual Systems. This is a comma separated list of Virtual Systems IDs (spaces are not allowed in this syntax).
`all-features`	Grants read-write permissions to all features. Important - This role is equivalent to admin role!
`readonly-features <`List of RO Features`>`	Comma separated list of Gaia features that have read-only permissions in the specified role. See the List of available features and List of available Extended Commands in roles. Notes: Press <SPACE><TAB> to see the list of available features. You can add read-only and read-write feature lists in the same `add rba role <Role Name> domain-type System ...` command.
`readwrite-features <`List of RW Features`>`	Comma separated list of Gaia features that have read-write permissions in the specified role. See the List of available features and List of available Extended Commands in roles. Notes: Press <SPACE><TAB> to see the list of available features. You can add read-only and read-write feature lists in the same `add rba role <Role Name> domain-type System ...` command. Important - A user with read/write permission to the user feature can change a user password, including that of the `admin` user. Be careful when assigning roles that include this permission!
`user <`User Name`>`	User, to which access mechanism permissions and roles are assigned.
`roles <`Role1,Role2,...,RoleN`>`	Comma separated list of role names that are assigned to or removed from the specified user (spaces are not allowed in this syntax).
`access-mechanisms {Web-UI \| CLI \| Web-UI,CLI}`	Defines the access mechanisms that users can work with to manage Gaia: `Web-UI` - Access only to Gaia Portal `CLI` - Access only to Gaia Clish `Web-UI,CLI` - Access to both Gaia Portal and Gaia Clish (spaces are not allowed in this syntax)

Examples

add rba role NewRole domain-type System readonly-features vpn,ospf,rba readwrite-features tag

add rba user Paul access-mechanisms CLI,WebUI

add rba user Daly roles NewRole,adminRole

delete rba role NewRole

delete rba user Daly roles adminRole

Notes:

There are no set commands for configures roles.
You cannot delete the adminRole, or monitorRole default roles.
On Security Groups, you must run these commands in gClish.