HPE D6020 Maintenance And Service Manual page 46

feature [ feature-name ]: Specifies one or all features. The feature-name argument represents a
feature name. If you do not specify a feature name, you specify all the features in the system. When
you specify a feature, the feature name must be the same, including the case, as the name displayed
by the display role feature command.
feature-group feature-group-name: Specifies a user-defined or predefined feature group. The
feature-group-name argument represents the feature group name, a case-sensitive string of 1 to 31
characters. If the feature group has not been created, the rule takes effect after the group is created.
To display the feature groups that have been created, use the display role feature-group
command.
oid oid-string: Specifies an OID of a MIB node. The oid-string argument represents the OID, a
case-insensitive string of 1 to 255 characters. The OID is a dotted numeric string that uniquely
identifies the path from the root node to this node. For example, 1.3.6.1.4.1.25506.8.35.14.19.1.1.
web-menu [ web-string ]: Specifies a Web menu. The web-string argument represents the ID path of
the Web menu, a case-insensitive string of 1 to 255 characters. Use the forward slash (/) to separate
ID items, for example, M_DEVICE/I_BASIC_INFO/I_reboot. If you do not specify a Web menu, the
rule applies to all Web items. To verify the ID path of a Web menu, use the display web menu
command.
xml-element [ xml-string ]: Specifies an XML element. The xml-string argument represents the
XPath of the XML element, a case-insensitive string of 1 to 255 characters. Use the forward slash (/)
to separate Xpath items, for example, Interfaces/Index/Name. If you do not specify an XML element,
the rule applies to all XML elements.
all: Specifies all the user role rules.
Usage guidelines
You can define the following types of rules for different access control granularities:
•
Command rule—Controls access to a command or a set of commands that match a regular
expression.
•
Feature rule—Controls access to the commands of a feature by command type.
•
Feature group rule—Controls access to the commands of a group of features by command
type.
•
Web menu rule—Controls access to Web menus by menu type.
•
XML element rule—Controls access to XML elements by element type.
•
OID rule—Controls access to the specified MIB node and its child nodes by node type.
A user role can access the set of permitted commands, Web menus, XML elements, and MIB nodes
specified in the user role rules. User role rules include predefined (identified by sys-n) and
user-defined user role rules.
You can configure a maximum of 256 user-defined rules for a user role. The total number of
user-defined user role rules cannot exceed 1024.
Any rule modification, addition, or removal for a user role takes effect only on the users who log in
with the user role after the change.
Access to the file system commands is controlled by both the file system command rules and the file
system feature rule.
A command with output redirection to the file system is permitted only when the command type write
is assigned to the file system feature.
The following guidelines apply to non-OID rules:
•
If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For
example, a user role can use the tracert command but not the ping command if the user role
contains rules configured by using the following commands:
rule 1 permit command ping

rule 2 permit command tracert

38