that are available to the system security administrator for cryptography operations, AAA, or the commands reserved solely for thesystem administrator.• Security Administrator (secadmin): This user role can control the security policy across the systems that are within a domain or networktopology. The security administrator commands include FIPS mode enablement, password policies, inactivity timeouts, bannerestablishment, and cryptographic key operations for secure access paths.• System Administrator (sysadmin). This role has full access to all the commands in the system, exclusive access to commands thatmanipulate the file system formatting, and access to the system shell. This role can also create user IDs and user roles.The following summarizes the modes that the predefined user roles can access.Role Modesnetoperatornetadmin Exec Config Interface Router IP Route-map Protocol MACsecadmin Exec Config Linesysadmin Exec Config Interface Line Router IP Route-map Protocol MACUser RolesThis section describes how to create a new user role and configure command permissions and contains the following topics.• Creating a New User Role• Modifying Command Permissions for Roles• Adding and Deleting Users from a RoleCreating a New User RoleInstead of using the system defined user roles, you can create a new user role that best matches your organization. When you create a newuser role, you can first inherit permissions from one of the system defined roles. Otherwise you would have to create a user role’s commandpermissions from scratch. You then restrict commands or add commands to that roleNOTE: You can change user role permissions on system pre-defined user roles or user-defined user roles.Important Points to RememberConsider the following when creating a user role:• Only the system administrator and user-defined roles inherited from the system administrator can create roles and user names. Only thesystem administrator, security administrator, and roles inherited from these can use the "role" command to modify commandpermissions. The security administrator and roles inherited by security administrator can only modify permissions for commands theyalready have access to.• Make sure you select the correct role you want to inherit.• If you inherit a user role, you cannot modify or delete the inheritance. If you want to change or remove the inheritance, delete the userrole and create it again. If the user role is in use, you cannot delete the user role.1 Create a new user roleCONFIGURATION modeuserrole name [inherit existing-role-name]2 Verify that the new user role has inherited the security administrator permissions.Security 753