HP Enterprise FlexFabric 12900E Series Command Reference Manual page 41

: Specifies the write commands, XML elements, or MIB nodes to configure the system. The
write
ssh server enable
feature [ feature-name ]
case-sensitive character string. If you do not specify a feature name, you specify all the features in
the system.
feature-group feature-group-name
The
feature-group-name
of 1 to 31 characters. If the feature group has not been created, the rule takes effect after the group
is created. To display the feature groups that have been created, use the
feature-group
oid oid-string
OID, a case-insensitive string of 1 to 255 characters. The OID is a dotted numeric string that uniquely
identifies the path from the root node to this node. For example, 1.3.6.1.4.1.25506.8.35.14.19.1.1.
xml-element [ xml-string ]
represents the XPath of the XML element, a case-insensitive string of 1 to 255 characters. Use the
forward slash (/) to separate Xpath items, for example, Interfaces/Index/Name. If you do not specify
an XML element, the rule applies to all XML elements.
: Specifies all the user role rules.
all
Usage guidelines
You can define the following types of rules for different access control granularities:
•
Command rule—Controls access to a command or a set of commands that match a regular
expression.
•
Feature rule—Controls access to the commands of a feature by command type.
•
Feature group rule—Controls access to the commands of a group of features by command
type.
•
XML element rule—Controls access to XML elements by element type.
•
OID rule—Controls access to the specified MIB node and its child nodes by node type.
A user role can access the set of permitted resources specified in the user role rules. User role rules
include predefined (identified by sys-n) and user-defined user role rules.
You can configure a maximum of 256 user-defined rules for a user role. The total number of
user-defined user role rules cannot exceed 1024.
Any rule modification, addition, or removal for a user role takes effect only on the users who log in
with the user role after the change.
Access to the file system commands is controlled by both the file system command rules and the file
system feature rule.
A command with output redirection to the file system is permitted only when the command type write
is assigned to the file system feature.
The following guidelines apply to non-OID rules:
•
If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For
example, a user role can use the
role contains rules configured by using the following commands:
rule 1 permit command ping

rule 2 permit command tracert

rule 3 deny command ping

•
If a predefined user role rule and a user-defined user role rule conflict, the user-defined user
role rule takes effect.
The following guidelines apply to OID rules:
command is an example of write commands.
: Specifies one or all features. The
argument represents the feature group name, a case-sensitive string
command.
: Specifies an OID of a MIB node. The
: Specifies an XML element. The
tracert
: Specifies a user-defined or predefined feature group.
oid-string
command but not the
35
argument is a
feature-name
display role
argument represents the
xml-string
command if the user
ping
argument