Class aaa:Definition (ABSTRACT)

Class ID:1488
Encrypted: false - Exportable: true - Persistent: true - Configurable: true - Subject to Quota: Disabled - Abstraction Layer: Concrete Model - APIC NX Processing: Disabled
Write Access: []
Read Access: [admin]
Creatable/Deletable: derived (see Container Mos for details)
Possible Semantic Scopes: EPG, Infra, Fabric,
Semantic Scope Evaluation Rule: Subclasses
Monitoring Policy Source: Parent
Monitoring Flags : [ IsObservable: false, HasStats: false, HasFaults: false, HasHealth: false, HasEventRules: false ]

The AAA policy definition. This is an abstract class and cannot be instantiated.

Naming Rules


DN FORMAT: 

                


Diagram

Super Mo: pol:Def,
Sub Mos: aaa:ADomainRef, aaa:AProvider, aaa:ARbacRule, aaa:ActiveUserSession, aaa:Banner, aaa:BlockLoginProfile, aaa:BlockedUser, aaa:Config, aaa:DeletedUserSession, aaa:Domain, aaa:Ep, aaa:FabricSec, aaa:FactoryRole, aaa:FailedLogin, aaa:FailedLoginUser, aaa:KafkaAcl, aaa:KafkaSubscription, aaa:KafkaSubscriptionClass, aaa:KafkaTopic, aaa:LdapGroupMap, aaa:LdapGroupMapRule, aaa:LdapGroupMapRuleRef, aaa:LoginDomain, aaa:PartialRbacRule, aaa:ProviderGroup, aaa:ProviderRef, aaa:PwdProfile, aaa:PwdStrengthProfile, aaa:RbacClassPriv, aaa:RbacDomain, aaa:RbacEp, aaa:RbacNodeRule, aaa:RbacPortRule, aaa:Realm, aaa:Role, aaa:SamlEncCert, aaa:ServiceNode, aaa:ServiceNodeCluster, aaa:SshAuth, aaa:SystemUser, aaa:UserCert, aaa:UserConf, aaa:UserData, aaa:UserDomain, aaa:UserEp, aaa:UserPreferences, aaa:UserProfile, aaa:UserRole, aaa:UserSelf, aaa:UserSessionEp, aaa:VMMCertificateRule,


Inheritance
[V] naming:NamedObject An abstract base class for an object that contains a name.
 ├
[V] pol:Obj Represents a generic policy object.
 
 ├
[V] pol:Def Represents self-contained policy document.
 
 
 ├
[V] aaa:Definition The AAA policy definition. This is an abstract class and cannot be instantiated.
 
 
 
 ├
[V] aaa:ADomainRef This object is generated and used only by internal processes.
 
 
 
 
 ├
[V] aaa:DomainRef A reference to the domain that the parent object belongs to.
 
 
 
 
 ├
[V] aaa:IDomainRef This object is generated and used only by internal processes.
 
 
 
 ├
[V] aaa:AProvider An abstract class that is the superclass for the Radius/Tacacs/Ldap provider classes.
 
 
 
 
 ├
[V] aaa:LdapProvider An LDAP provider is a remote server supporting the LDAP protocol that will be used for authentication.
 
 
 
 
 ├
[V] aaa:RadiusProvider A RADIUS provider is a remote server supporting the RADIUS protocol that will be used for authentication.
 
 
 
 
 ├
[V] aaa:RsaProvider 
 
 
 
 
 ├
[V] aaa:SamlProvider 
 
 
 
 
 ├
[V] aaa:TacacsPlusProvider A TACACS+ provider is a remote server supporting the TACACS+ protocol that will be used for authentication.
 
 
 
 ├
[V] aaa:ARbacRule This is generated and used only by internal processes.
 
 
 
 
 ├
[V] aaa:IPRbacRule  IPRbacRule mos are created under aaaRbacEp as a side-effect of the creation of PRbacRule under fv:Tenant
 
 
 
 
 ├
[V] aaa:IRbacRule This is generated and used only by internal processes.
 
 
 
 
 ├
[V] aaa:RbacRule A role based access control (RBAC) rule allows users from a security domain to read the subtree starting at a specific object.
 
 
 
 ├
[V] aaa:ActiveUserSession 
 
 
 
 ├
[V] aaa:Banner An abstract class that contains login banners and cannot be instantiated.
 
 
 
 
 ├
[V] aaa:PreLoginBanner A GUI banner is the informational banner to be displayed before user login authentication.
 
 
 
 ├
[V] aaa:BlockLoginProfile  This MO stores config for blocking users that fail login continuously
 
 
 
 ├
[V] aaa:BlockedUser  Users that are blocked after continuous failures
 
 
 
 ├
[V] aaa:Config The generic security authentication configuration. This is an abstract class and cannot be instantiated.
 
 
 
 
 ├
[V] aaa:AuthMethod The generic security authentication method. This is an abstract class and cannot be instantiated.
 
 
 
 
 
 ├
[V] aaa:ConsoleAuth The authentication configuration for console login.
 
 
 
 
 
 ├
[V] aaa:DefaultAuth The default authentication configuration for all login methods.
 
 
 
 
 
 ├
[V] aaa:DomainAuth The authentication configuration for a domain login.
 
 
 
 ├
[V] aaa:DeletedUserSession 
 
 
 
 ├
[V] aaa:Domain An AAA domain is the AAA security method for processing authentication requests.
 
 
 
 ├
[V] aaa:Ep The base class for an AAA endpoint is an abstract class and cannot be instantiated.
 
 
 
 
 ├
[V] aaa:DuoEp 
 
 
 
 
 ├
[V] aaa:KafkaEp 
 
 
 
 
 ├
[V] aaa:LdapEp The global security management properties for LDAP endpoints and LDAP provider groups.
 
 
 
 
 ├
[V] aaa:PingEp 
 
 
 
 
 ├
[V] aaa:RadiusEp The RADIUS endpoint policy is the global security management properties for RADIUS endpoints and RADIUS provider groups.
 
 
 
 
 ├
[V] aaa:RsaEp 
 
 
 
 
 ├
[V] aaa:SamlEp 
 
 
 
 
 ├
[V] aaa:TacacsPlusEp The TACACS+ endpoint policy is the global security management properties for TACACS+ endpoints and TACACS+ provider groups.
 
 
 
 ├
[V] aaa:FabricSec 
 
 
 
 ├
[V] aaa:FactoryRole 
 
 
 
 ├
[V] aaa:FailedLogin  MO to record each failed login for a user. Records both domain and username, so that remote users are also taken care
 
 
 
 ├
[V] aaa:FailedLoginUser  MO to represent users that fail login
 
 
 
 ├
[V] aaa:KafkaAcl 
 
 
 
 ├
[V] aaa:KafkaSubscription 
 
 
 
 ├
[V] aaa:KafkaSubscriptionClass 
 
 
 
 ├
[V] aaa:KafkaTopic 
 
 
 
 ├
[V] aaa:LdapGroupMap  The MO represents an LDAP Group Map
 
 
 
 ├
[V] aaa:LdapGroupMapRule  The MO represents an LDAP Group Map Rule The actual Map consisting of Domains and Roles
 
 
 
 ├
[V] aaa:LdapGroupMapRuleRef  The MO points to actual Ldap Rules
 
 
 
 ├
[V] aaa:LoginDomain An AAA login domain for authentication and authorization. The AAA configuration can be configured per domain.
 
 
 
 ├
[V] aaa:PartialRbacRule 
 
 
 
 ├
[V] aaa:ProviderGroup A provider group is a set of providers that will be used by the system during the authentication process. During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, the system manager automatically falls back to the local authentication method using the local username and password.
 
 
 
 
 ├
[V] aaa:DuoProviderGroup  Duo Provider Group
 
 
 
 
 ├
[V] aaa:LdapProviderGroup An LDAP provider group is a group of remote servers supporting the LDAP protocol for authentication.
 
 
 
 
 ├
[V] aaa:RadiusProviderGroup A RADIUS provider group is a group of remote servers supporting the RADIUS protocol for authentication.
 
 
 
 
 ├
[V] aaa:RsaProviderGroup  This MO represents a group of AAA RSA servers.
 
 
 
 
 ├
[V] aaa:SamlProviderGroup  This MO represents a group of AAA SAML servers.
 
 
 
 
 ├
[V] aaa:TacacsPlusProviderGroup A TACACS+ provider group is a group of remote servers supporting the TACACS+ protocol for authentication.
 
 
 
 ├
[V] aaa:ProviderRef A member of an AAA provider group.
 
 
 
 ├
[V] aaa:PwdProfile The password profile contains the information about password constraints that apply to all local users.
 
 
 
 ├
[V] aaa:PwdStrengthProfile 
 
 
 
 ├
[V] aaa:RbacClassPriv 
 
 
 
 ├
[V] aaa:RbacDomain 
 
 
 
 ├
[V] aaa:RbacEp This is generated and used only by internal processes.
 
 
 
 ├
[V] aaa:RbacNodeRule 
 
 
 
 ├
[V] aaa:RbacPortRule 
 
 
 
 ├
[V] aaa:Realm The AAA realm is the security method for processing authentication and authorization requests. The realm allows the protected resources on the associated server to be partitioned into a set of protection spaces, each with its own authentication authorization database. This is an abstract class and cannot be instantiated.
 
 
 
 ├
[V] aaa:Role An AAA role is a set of attributes and privileges that describe what a user is authorized to perform.
 
 
 
 ├
[V] aaa:SamlEncCert 
 
 
 
 ├
[V] aaa:ServiceNode 
 
 
 
 ├
[V] aaa:ServiceNodeCluster 
 
 
 
 ├
[V] aaa:SshAuth A user's public key in PEM format used for certificate-based login.
 
 
 
 ├
[V] aaa:SystemUser The base class for a system user. This is an abstract class and cannot be instantiated.
 
 
 
 
 ├
[V] aaa:AppUser 
 
 
 
 
 ├
[V] aaa:RemoteUser The remote user login account.
 
 
 
 
 ├
[V] aaa:User A locally-authenticated user account.
 
 
 
 ├
[V] aaa:UserCert An AAA user certificate in X.509 format. This certificate is the RSA public key used for certificate-based REST API calls.
 
 
 
 ├
[V] aaa:UserConf 
 
 
 
 ├
[V] aaa:UserData This object is managed internally and should not be modified by the user.
 
 
 
 ├
[V] aaa:UserDomain The AAA domain to which the user belongs.
 
 
 
 ├
[V] aaa:UserEp A user endpoint is a local user. A user is assigned a role determines the user's privileges, and belongs to a security domain, which determines the user's scope of control
 
 
 
 ├
[V] aaa:UserPreferences  User preferences
 
 
 
 ├
[V] aaa:UserProfile  User profile
 
 
 
 ├
[V] aaa:UserRole The privilege bitmask of a user domain.
 
 
 
 ├
[V] aaa:UserSelf 
 
 
 
 ├
[V] aaa:UserSessionEp  User Login tracking & logout
 
 
 
 ├
[V] aaa:VMMCertificateRule 


Events
                


Faults
                


Fsms
                


Properties Summary
Defined in: aaa:Definition
naming:Name
          string:Basic
name  (aaa:Definition:name)
           Overrides:pol:Obj:name | naming:NamedObject:name
           The name of the AAA definition object.
Defined in: pol:Def
naming:Descr
          string:Basic
descr  (pol:Def:descr)
           Specifies a description of the policy definition.
naming:Descr
          string:Basic
ownerKey  (pol:Def:ownerKey)
           The key for enabling clients to own their data for entity correlation.
naming:Descr
          string:Basic
ownerTag  (pol:Def:ownerTag)
           A tag for enabling clients to add their own data. For example, to indicate who created this object.
Defined in: naming:NamedObject
naming:NameAlias
          string:Basic
nameAlias  (naming:NamedObject:nameAlias)
           NO COMMENTS
Defined in: mo:TopProps
mo:ModificationChildAction
          scalar:Bitmask32
childAction  (mo:TopProps:childAction)
           Delete or ignore. For internal use only.
reference:BinRef dn  (mo:TopProps:dn)
           A tag or metadata is a non-hierarchical keyword or term assigned to the fabric module.
reference:BinRN rn  (mo:TopProps:rn)
           Identifies an object from its siblings within the context of its parent object. The distinguished name contains a sequence of relative names.
mo:ModificationStatus
          scalar:Bitmask32
status  (mo:TopProps:status)
           The upgrade status. This property is for internal use only.
Properties Detail

childAction

Type: mo:ModificationChildAction
Primitive Type: scalar:Bitmask32

Units: null
Encrypted: false
Access: implicit
Category: TopLevelChildAction
    Comments:
Delete or ignore. For internal use only.
Constants
deleteAll 16384u deleteAll NO COMMENTS
ignore 4096u ignore NO COMMENTS
deleteNonPresent 8192u deleteNonPresent NO COMMENTS
DEFAULT 0 --- This type is used to





descr

Type: naming:Descr
Primitive Type: string:Basic

Like: naming:Described:descr
Units: null
Encrypted: false
Access: admin
Category: TopLevelRegular
Property Validators:
    Range:  min: "0"  max: "128"
        Allowed Chars:
            Regex: [a-zA-Z0-9\\!#$%()*,-./:;@ _{|}~?&+]+
    Comments:
Specifies a description of the policy definition.



dn

Type: reference:BinRef

Units: null
Encrypted: false
Access: implicit
Category: TopLevelDn
    Comments:
A tag or metadata is a non-hierarchical keyword or term assigned to the fabric module.



name

Type: naming:Name
Primitive Type: string:Basic

Overrides:pol:Obj:name  |  naming:NamedObject:name
Units: null Encrypted: false Access: create Category: TopLevelRegular Property Validators: Range: min: "0" max: "64" Allowed Chars: Regex: [a-zA-Z0-9_.:-]+
    Comments:
The name of the AAA definition object.



nameAlias

Type: naming:NameAlias
Primitive Type: string:Basic

Units: null
Encrypted: false
Access: admin
Category: TopLevelRegular
Property Validators:
    Range:  min: "0"  max: "63"
        Allowed Chars:
            Regex: [a-zA-Z0-9_.-]+
    Comments:
NO COMMENTS



ownerKey

Type: naming:Descr
Primitive Type: string:Basic

Units: null
Encrypted: false
Access: admin
Category: TopLevelRegular
Property Validators:
    Range:  min: "0"  max: "128"
        Allowed Chars:
            Regex: [a-zA-Z0-9\\!#$%()*,-./:;@ _{|}~?&+]+
    Comments:
The key for enabling clients to own their data for entity correlation.



ownerTag

Type: naming:Descr
Primitive Type: string:Basic

Units: null
Encrypted: false
Access: admin
Category: TopLevelRegular
Property Validators:
    Range:  min: "0"  max: "64"
        Allowed Chars:
            Regex: [a-zA-Z0-9\\!#$%()*,-./:;@ _{|}~?&+]+
    Comments:
A tag for enabling clients to add their own data. For example, to indicate who created this object.



rn

Type: reference:BinRN

Units: null
Encrypted: false
Access: implicit
Category: TopLevelRn
    Comments:
Identifies an object from its siblings within the context of its parent object. The distinguished name contains a sequence of relative names.



status

Type: mo:ModificationStatus
Primitive Type: scalar:Bitmask32

Units: null
Encrypted: false
Access: implicit
Category: TopLevelStatus
    Comments:
The upgrade status. This property is for internal use only.
Constants
created 2u created In a setter method: specifies that an object should be created. An error is returned if the object already exists.
In the return value of a setter method: indicates that an object has been created.
modified 4u modified In a setter method: specifies that an object should be modified
In the return value of a setter method: indicates that an object has been modified.
deleted 8u deleted In a setter method: specifies that an object should be deleted.
In the return value of a setter method: indicates that an object has been deleted.
DEFAULT 0 --- This type controls the life cycle of objects passed in the XML API.

When used in a setter method (such as configConfMo), the ModificationStatus specifies whether an object should be created, modified, deleted or removed.
In the return value of a setter method, the ModificationStatus indicates the actual operation that was performed. For example, the ModificationStatus is set to "created" if the object was created. The ModificationStatus is not set if the object was neither created, modified, deleted or removed.

When invoking a setter method, the ModificationStatus is optional:
If a setter method such as configConfMo is invoked and the ModificationStatus is not set, the system automatically determines if the object should be created or modified.