Overview of Account Management

Overview

A valid account is required for access to Avi Vantage through the GUI, REST API, or CLI. Each user must be assigned a role which grants permissions and access to read or write to various objects within Avi Vantage. Accounts may optionally be restricted to specific tenants, and granted different roles within each tenant.

User accounts are maintained either locally in Avi Vantage or remotely via an external AAA server where authentication and authorization are performed. Avi Vantage will first attempt to validate the account via local auth database, then remote auth.

For SSH access, the Controller will also attempt to authenticate the user via the underlying Linux after failing to find the user in the local or remote auth databases.  Users created via local or remote are not created in Linux and may not have Linux access, with the exception of the admin account.

Note: You can disable local authentication in the Controller if remote authentication (LDAP, TACACS, SAML and so on) is enabled. You can do so by setting the allow_local_user_login flag to False in SystemConfiguration > AdminAuthConfiguration option.

User Authentication

Local User Authentication

Remote User Authentication

Roles

Tenants

Other

Suggested Reading

Configuring SAML Authentication with Workspace One for Avi Controller