User Management

Table 1 User View

Command	Purpose
show user policy	Show password strength enhancement policy.
show login policy	Show login security protection policy.
show privilege view view_name [COMMAND]	Show the privilege level of configuration views or commands.
show privilege rule	Show command privilege level rules.

show user policy

[Command] show user policy

[Purpose] Show password strength enhancement policy.

[View] Privileged User View

[Use Cases]

sonic-232# show user policy
STATE       EXPIRATION    EXPIRATION WARNING    HISTORY CNT    LEN MIN  REJECT USER PASSW MATCH    LOWER CLASS    UPPER CLASS    DIGITS CLASS    SPECIAL CLASS
--------  ------------  --------------------  -------------  ---------  -------------------------  -------------  -------------  --------------  ---------------
disabled            30                    15             10          8  true                       true           true           true            true

show login policy

[Command] show login policy

[Purpose] Show login security protection policy.

[View] Privileged User View

[Use Cases]

sonic# show login policy
+---------+---------------+-------------+---------------------+
| State   |   Retry count |   Lock time |   Session hold time |
+=========+===============+=============+=====================+
| disable |             3 |         300 |                 600 |
+---------+---------------+-------------+---------------------+

show privilege view

[Command] show privilege view view_name [COMMAND]

[Purpose] Show the privilege level of configuration views or commands.

[Parameters]

Parameter	Description
view_name	Configure view，use * to query all view permissions(bfd-peer-view/bfd-profile-accelerate-view/bfd-profile-view/bfd-view/bgp-evpn-view/bgp-evpn-vni-view/bgp-ipv4-flowspec-view/bgp-ipv4-labeled-unicast-view/bgp-ipv4-multicast-view/bgp-ipv4-unicast-view/bgp-ipv6-flowspec-view/bgp-ipv6-labeled-unicast-view/bgp-ipv6-multicast-view/bgp-ipv6-view/bgp-view/bgp-vrf-policy-view/cluster-cfg-view/cluster-info-view/collector-cfg-view/config-pmap-c-copp-system-policy-view/configure-acl-nexthop-group-view/configure-acl-user-defined-view/configure-acl-view/configure-arp-to-host-view/configure-buffer-profile-view/configure-cmap-view/configure-dhcp-relay-view/configure-diffservmap-view/configure-erspan-mirror-view/configure-if-view/configure-lagif-view/configure-loif-view/configure-mclag-view/configure-mgmt-view/configure-mstp-view/configure-nat-binding-view/configure-pmap-c-view/configure-pmap-copp-copp-system-policy/configure-pmap-view/configure-sla-view/configure-span-mirror-view/configure-track-view/configure-traffic-behavior-view/configure-view/configure-vlan-view/configure-vlanif-view/configure-vxlanif-view/configure-wred-view/dialout-sub-view/dialout-dst-view/enable-view/configure-roce-view/grpc-client-view/interface-view/isis-view/keychain-key-view/keychain-view/ospf-view/ospf6-view/pbr-map-view/rip-view/routemap-view/vrf-view).
COMMAND	Commands, using * to query all command permission levels in the view.

[View] Privileged User View

[Use Cases]

sonic# show privilege view enable-view show version
----------------------------------------------------------------
VIEW:enable-view                                privilege:show
        commands in this view                                   privilege
        show version                                            show

show privilege rule

[Command] show privilege rule

[Purpose] Show command privilege level rules.

[View] Privileged User View

[Use Cases]

sonic# show privilege rule
----------------------------------------------------------------------
VIEW                          CMD-PATTERN                   PRIVILEGE
----------------------------------------------------------------------
enable-view                   show version                  show
----------------------------------------------------------------------

User Config

Table 2 User Config

Command	Purpose
user user_name password	Add new users and configure passwords.
user user_name privilege-level level	Configure user privilege level.
user policy security-enhance	Enable password strength enhancement strategy.
user policy password expiration time	Configure password expiration time.
user policy password min-len length	Configure minimum password length.
user policy login enable	Enable login security protection policy.
user policy login lock-time time	Configure user login retry lock time.
user policy login retry-count count	Configure the number of user login retry.
user policy login session-hold-time time	Configure user session duration.
cmd-privilege level level view view_name command	Configure command privilege level.

user

[Command] user user_name password

[Purpose] Add a new user and set the password.

[Parameters]

Parameter	Description
user_name	username

[View] Global Configuration View

[Notes] Create a new user and set the password, using this user to log in will directly enter CISCO-LIKE CLI. Run command no user user_name to delete user configuration.

[Use Cases]

sonic# configure terminal
sonic(config)# user test1 password
New password:
Retype new password:
passwd: password updated successfully

Log in to the switch under this user:
public@Asterfusion:~$ ssh test1@10.250.0.161
test1@10.250.0.161's password:
Linux sonic-161 5.10.0-8-2-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
    _          _                _   _   ___   ____
   / \    ___ | |_   ___  _ __ | \ | | / _ \ / ___|
  / _ \  / __|| __| / _ \| '__||  \| || | | |___ \
 / ___ \ __ \| |_ |  __/| |   | |\  || |_| | ___) |
/_/   _\|___/ __| ___||_|   |_| _| ___/ |____/

------- Asterfusion Network Operating System -------

Help:    http://www.asterfusion.com/

Last login: Mon Sep 15 05:59:13 2025 from 10.250.0.240
sonic#

user

[Command] user user_name privilege-level level

[Purpose] Configure user privilege level.

[Parameters]

Parameter	Description
user_name	username
level	Privilege level, there are four levels of permissions,none level, show level, config level, and sys_admin level. Users at different levels have different permissions to run commands, with none level having the lowest permissions and sys admin level having the highest permissions

[View] Global Configuration View

[Use Cases]

sonic# configure terminal
sonic(confnig)# user us1 privilege-level config

user policy security-enhance

[Command] user policy security-enhance

[Purpose] Enable password strength enhancement strategy.

[View] Global Configuration View

[Notes] Run command no user policy security-enhance to disable password strength enhancement strategy.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy security-enhance

user policy password expiration

[Command] user policy password expiration time

[Purpose] Configure password expiration time

[Parameters]

Parameter	Description
time	Password expiration time, measured in days, with a range of 30-365 days and a default value is 180 days

[View] Global Configuration View

[Notes] When the password strength enhancement policy is enabled, newly created users will be asked to change their password when the configured password expires. Run command no user policy password expiration to restore the password expiration time to the default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy password expiration 30

user policy password min-len

[Command] user policy password min-len length

[Purpose] Configure minimum password length.

[Parameters]

Parameter	Description
length	The minimum password length ranges from 6 to 32, with a default value of 8.

[View] Global Configuration View

[Notes] When the password strength enhancement strategy is enabled, create a new user,and require the password length to meet the minimum password length. Run command no user policy min-len to restore the minimum password length to the default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy password min-len 6

user policy login enable

[Command] user policy login enable

[Purpose] Enable login security protection policy.

[View] Global Configuration View

[Notes] Run command user policy login disable to disable login security protection policy.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy login enable

user policy login lock-time

[Command] user policy login lock-time time

[Purpose] Configure user login retry lock time.

[Parameters]

Parameter	Description
time	Lock time in seconds, the range is from 60 to9999, the default value is 300.

[View] Global Configuration View

[Notes] Run command no user policy login lock-time to restore the lock time to its default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy login lock-time 100

user policy login retry-count

[Command] user policy login retry-count count

[Purpose] Configure the number of user login retry.

[Parameters]

Parameter	Description
count	Retry count，the range is from 2 to99, the default value is 3.

[View] Global Configuration View

[Notes] Under the login security policy, when the number of failed login attempts reaches the retry limit, the account will enter a login retry lockout period. During this time, even if the username and password are correct, the user will not be able to log in successfully. After the lockout period expires, the user can attempt to login again. Run command no user policy retry-count to restore the retry count to its default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy login retry-count 5

user policy login session-hold-time

[Command] user policy login session-hold-time time

[Purpose] Configure user session duration.

[Parameters]

Parameter	Description
time	Session hold time, with values ranging from 0 0r 60 to 99999, in seconds， the default value is 600, A value of 0 indicates that the session will remain active and will not automatically exit.

[View] Global Configuration View

[Notes] Run command no user policy login session-hold-time to restore the session hold time to its default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy login session-hold-time 1000

cmd-privilege level

[Command] cmd-privilege level level view view_name COMMAND

[Purpose] Configure command privilege level.

[Parameters]

Parameter	Description
level	Privilege level, there are four levels of permissions,none level, show level, config level, and sys_admin level. Users at different levels have different permissions to run commands, with none level having the lowest permissions and sys admin level having the highest permissions.
view_name	Configure view(bfd-peer-view/bfd-profile-accelerate-view/bfd-profile-view/bfd-view/bgp-evpn-view/bgp-evpn-vni-view/bgp-ipv4-flowspec-view/bgp-ipv4-labeled-unicast-view/bgp-ipv4-multicast-view/bgp-ipv4-unicast-view/bgp-ipv6-flowspec-view/bgp-ipv6-labeled-unicast-view/bgp-ipv6-multicast-view/bgp-ipv6-view/bgp-view/bgp-vrf-policy-view/cluster-cfg-view/cluster-info-view/collector-cfg-view/config-pmap-c-copp-system-policy-view/configure-acl-nexthop-group-view/configure-acl-user-defined-view/configure-acl-view/configure-arp-to-host-view/configure-buffer-profile-view/configure-cmap-view/configure-dhcp-relay-view/configure-diffservmap-view/configure-erspan-mirror-view/configure-if-view/configure-lagif-view/configure-loif-view/configure-mclag-view/configure-mgmt-view/configure-mstp-view/configure-nat-binding-view/configure-pmap-c-view/configure-pmap-copp-copp-system-policy/configure-pmap-view/configure-sla-view/configure-span-mirror-view/configure-track-view/configure-traffic-behavior-view/configure-view/configure-vlan-view/configure-vlanif-view/configure-vxlanif-view/configure-wred-view/dialout-sub-view/dialout-dst-view/configure-roce-view/enable-view/grpc-client-view/interface-view/isis-view/keychain-key-view/keychain-view/ospf-view/ospf6-view/pbr-map-view/rip-view/routemap-view/vrf-view)
COMMAND	Command, match with the longest prefix to take effect

[View] Global Configuration View

[Notes] Run command nocmd-privilege level privilege view view_name command to delete command permissions for configuration.

[Use Cases]

sonic# configure terminal
sonic(config)# cmd-privilege level none view enable-view show version