HPE D6020 Maintenance And Service Manual page 48
Hide thumbs
Also See for HPE D6020:
- Maintenance and service manual (54 pages) ,
- User manual (44 pages)
Table of Contents
Advertisement
Rule
To control the access to a
command, you must specify the
command immediately after the
view that has the command.
Do not include the vertical bar (|),
greater-than sign (>), or double
greater-than sign (>>) when you
specify display commands in a
user role command rule.
Examples
# Permit user role role1 to execute the display acl command.
<Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command display acl
# Permit user role role1 to execute all commands that start with the display keyword.
[Sysname-role-role1] rule 2 permit command display *
# Permit user role role1 to execute the radius scheme aaa command in system view and use all
commands assigned to RADIUS scheme view.
[Sysname-role-role1] rule 3 permit command system ; radius scheme aaa
# Deny the access of role1 to the read or write commands of all features.
[Sysname-role-role1] rule 4 deny read write feature
# Deny the access of role1 to the read commands of the aaa feature.
[Sysname-role-role1] rule 5 deny read feature aaa
# Permit role1 to access all read, write, and execute commands of feature group security-features.
[Sysname-role-role1] rule 6 permit read write execute feature-group security-features
# Permit role1 to access all read and write MIB nodes starting from the node with OID 1.1.2.
[Sysname-role-role1] rule 7 permit read write oid 1.1.2
Related commands
display role
display role feature
display role feature-group
display web menu
role
Guidelines
rule.
For example, "rule 1 deny command dis arp source *" denies access to
the commands display arp source-mac interface and display arp
source-suppression.
To control access to a command, you must specify the command
immediately behind the view to which the command is assigned. The
rules that control command access for any subview do not apply to the
command.
For example, the "rule 1 deny command system ; interface * ; *"
command string disables access to any command that is assigned to
interface view. However, you can still execute the acl number command
in interface view, because this command is assigned to system view
rather than interface view. To disable access to this command, use "rule
1 deny command system ; acl *;".
The system does not treat the redirect signs and the parameters that
follow the signs as part of command lines. However, in user role
command rules, these redirect signs and parameters are handled as
part of command lines. As a result, no rule that includes any of these
signs can find a match.
For example, "rule 1 permit command display debugging > log" can
never find a match. This is because the system has a display
debugging command but not a display debugging > log command.
40
Advertisement
Table of Contents
