user <USERNAME> group {administrators | operators | auditors | <USER-GROUP>} 
     password [ciphertext <CIPHERTEXT-PASSWORD> | plaintext <PLAINTEXT-PASSWORD>]

no user <USERNAME>


Creates a user and adds the user to one of the user groups. Users are given the privileges of their group. For the three built-in user groups (administrators, operators, auditors), the privileges are fixed. For user-defined local user groups, the privileges are defined by the CLI command authorization rules of the group.

When entered without either optional ciphertext or plaintext parameters, the cleartext password is prompted for twice, with the characters entered masked with "*" symbols.

The no form of this command removes a user account from the switch. The administrator cannot delete the user account from which they are logged in. The admin user cannot be deleted.

Command context




Specifies the user name. Requirements:

  • Must start with a lowercase letter.

  • Can contain numbers and lowercase letters.

  • Can include only these three special characters: hyphens ( - ), dots ( . ), and underscores ( _ ).

  • Can have a maximum of 32 characters.

  • Cannot be empty.

  • Cannot contain uppercase letters.

  • Cannot be: admin, root, or remote_user.

  • Cannot be Linux reserved names such as:

    daemon, bin, sys, sync, proxy, www-data, backup, list, irc, gnats, nobody, systemd-bus-proxy, sshd, messagebus, rpc, systemd-journal-gateway, systemd-journal-remote, systemd-journal-upload, systemd-timesync, systemd-coredump, systemd-resolve, rpcuser, vagrant, opsd, rdanet, _lldpd, rdaadmin, rdaweb, docker_container, tss.


Selects the local user group to which the new user will be assigned.

administrators | operators | auditors

Selects one of three built-in local user groups.


Specifies an existing user-defined local user group.

Specifies a ciphertext password. No password prompts are provided and the ciphertext password is validated before the configuration is applied for the user. The variable <CIPHERTEXT-PASSWORD> is Base64 and is typically copied from another switch using the show running-config command output and then pasted into this command.
NOTE: The administrator cannot construct ciphertext passwords themselves. The ciphertext is only created by an ArubaOS-CX switch. The ciphertext is created by setting a password for a user with the user command. The ciphertext is available for copying from the show running-config output and pasting into the configuration on any other ArubaOS-CX switch. The target switch must have the same export password (default or otherwise) as the source switch.

Specifies the password without prompting. The password is visible as cleartext when entered but is encrypted thereafter. Command history does show the password as cleartext.


Administrators or local user group members with execution rights for this command.


  • Up to 63 local users can be added, for a total of 64 users including the default user admin. A user can belong to only one group.

  • The switch ships with the admin user account and three built-in local user groups: administrators, operators, and auditors. The admin account belongs to the administrators group. The Service OS also includes the administrator user admin. The two admin users are entirely distinct.

  • When a local user account is removed, the user loses all active login/SSH sessions. Any calls on the existing REST session with that local user account fail with a permissions issue as soon as the user is deleted. Soon afterwards, the existing REST sessions with the deleted local user account become invalidated. If a user is viewing the GUI while their account is deleted, the user is redirected to the login page within 60 seconds. The home directory associated with the user is also removed from the switch.

  • Cleartext passwords (whether entered with prompting or entered directly) must:
    • Contain only ASCII characters from hexadecimal 21 to hexadecimal 7E [\x21-\x7E] (decimal 33 to 126). Spaces are not allowed. When the password is entered directly without prompting, the "?" symbol (hexadecimal 3F [\x3F] (decimal 63)) is not permitted.

    • Contain at most 32 characters.

    • Contain at least the number of characters configured (optionally) for minimum-password-length.

      CAUTION: Although empty passwords are supported, it is recommended that you use strong passwords for all production switches.
      NOTE: Only an administrator can change the password of a user assigned to the operators role.


Creating local user jamie in the administrators group with a prompted password:

switch(config)# user jamie group administrators password
Adding user jamie
Enter password:************
Confirm password:************

Creating user chris in the existing user-defined local user group admuser2 with a cleartext password, using direct entry without prompting:

switch(config)# user chris group admuser2 password plaintext passWORDxJ|989

Creating user alex in the operators group with a ciphertext password (the ciphertext shown is a placeholder that must be replaced with actual ciphertext):

switch(config)# user alex group operators password ciphertext NDcDI2...8igJfA=

Removing user jamie:

switch(config)# no user jamie
User jamie's home directory and active sessions will be deleted.
Do you want to continue [y/n]?y