H3C S5830V2 Command Reference Manual page 74

•
All printable characters.
execute: Specifies the execute commands, XML elements, or MIB nodes. An execute command (for
example, ping), XML element, or MIB node executes a specific function or program.
read: Specifies the read commands, , XML elements, or MIB nodes. A read command (for example,
display, dir, more, or pwd), XML element, or MIB node displays configuration or maintenance
information.
write: Specifies the write commands, XML elements, or MIB nodes. A write command (for example,
ssh server enable), XML element, or MIB node configures the system.
feature [ feature-name ]: Specifies one or all features. The feature-name argument specifies a
feature name. If you do not specify a feature name, you specify all the features in the system. When
you specify a feature, the feature name must be the same, including the case, as the name displayed
by the display role feature command.
feature-group feature-group-name: Specifies a user-defined or predefined feature group. The
feature-group-name argument represents the feature group name, a case-sensitive string of 1 to 31
characters. If the feature group has not been created, the rule takes effect after the group is created.
To display the feature groups that have been created, use the display role feature-group
command.
oid [ oid-string ]: Specifies an OID of a MIB node. The oid-string argument represents the OID, a
case-insensitive string of 1 to 255 characters. The OID is a dotted numeric string that uniquely
identifies the path from the root node to this node. For example, 1.3.6.1.4.1.25506.8.35.14.19.1.1.
xml-element [ xml-string ]: Specifies an XML element. The xml-string argument represents the
XPath of the XML element, a case-insensitive string of 1 to 512 characters. Use the forward slash (/)
to separate Xpath items, for example, Interfaces/Index/Name. If you do not specify an XML element,
the rule applies to all XML elements.
all: Deletes all the user role rules.
Usage guidelines
You can define the following types of rules for different access control granularities:
•
Command rule—Controls access to a command or a set of commands that match a regular
expression.
•
Feature rule—Controls access to the commands of a feature by command type.
•
Feature group rule—Controls access to the commands of a group of features by command
type.
•
XML element rule—Controls access to XML elements.
•
OID rule—Controls access to the specified MIB node and its child nodes.
A user role can access the set of permitted commands, XML elements, and MIB nodes specified in
the user role rules. User role rules include predefined (identified by sys-n) and user-defined user role
rules.
The following guidelines apply to non-OID rules:
•
If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For
example, the user role can use the tracert command but not the ping command if the user role
contains rules configured by using the following commands:
rule 1 permit command ping
rule 2 permit command tracert
rule 3 deny command ping
•
If a predefined user role rule and a user-defined user role rule conflict, the user-defined user
role rule takes effect.
The following guidelines apply to OID rules:
62