Skip to content

Tag: <accesstoken> - Device Role Options


The <accesstoken> tag is a used to define the roles that are available on a device. The role can be selected when adding a device to a profile and it tells the user_add task how to set the role on a personalised account.

The <accesstoken> tag sits inside a group tag of <accesstokens>. You can define multiple <accesstokens> tags to hold each of the access tokens or you can add <accesstoken> tags to an existing <accesstokens> tag.

This tag has the following attributes:


  • display_name (str) : This is the display string used in the Admin Interface when setting the parameters values. It is not seen by the user running the task. The display name seen by the user running the task is set on the task <input> tag.

  • name* (str) : This is the internal name for the access level and is used in the <user_add> task to make conditional decision on how to set the role of a personalised account. The highest level is normally called readwrite and the lowest readonly***.

  • level (int) : This integer defines the priority order of the access levels.

  • logon_name_template* (str) : This defines how a personalised account name will be created per user when the task user_add adds a new account on the device. The string %user_name%*** will get replaced by the users logon account.

The list of access tokens is shown in the profile Manage device window. The list looks like this:

Profile list


Typically there are several access tokens on a device. Here are two shown from a Cisco IOS device:

<accesstoken display_name='Privileged' name='readwrite' level='15' logon_name_template='%user_name%_15'/>
<accesstoken display_name='User' name='readonly' level='1' logon_name_template='%user_name%_1'/>

Parent Tags

Child Tags

  • None