Skip to main content
Converged Systems Advisor

Grant CSA user privileges using a TACACS+ server

Contributors netapp-rlithman

If you are using a TACACS+ server and you need to grant CSA user privileges for your switches, you must create a user privilege group and grant the group access to the specific set up commands needed by CSA.
The following commands should be written into the configuration file for your TACACS+ server.

  1. Enter the following to create a user privilege group with read-only access:
    group=group_name {
    default service=deny

  2. Enter the following to grant access to commands needed by CSA:
    cmd=show {
    permit "environment"
    permit "version"
    permit "feature"
    permit "feature-set"
    permit hardware.*
    permit "interface"
    permit "interface"
    permit "interface transceiver"
    permit "inventory"
    permit "license"
    permit "module"
    permit "port-channel database"
    permit "ntp peers"
    permit "license usage"
    permit "port-channel summary"
    permit "running-config"
    permit "startup-config"
    permit "running-config diff"
    permit "switchname"
    permit "int mgmt0"
    permit "cdp neighbors detail"
    permit "vlan"
    permit "vpc"
    permit "vpc peer-keepalive"
    permit "mac address-table"
    permit "lacp port-channel"
    permit "policy-map"
    permit "policy-map system type qos"
    permit "policy-map system type queuing"
    permit "policy-map system type network-qos"
    permit "zoneset active"
    permit "san-port-channel summary"
    permit "flogi database"
    permit "fcns database detail"
    permit "fcns database detail"
    permit "zoneset active"
    permit "vsan"
    permit "vsan usage"
    permit "vsan membership"

  3. Enter the following to add your CSA user account to the newly created group: