H3C S5830V2 Command Reference Manual page 76
Switch series
fundamentals
Hide thumbs
Also See for S5830V2:
- Security configuration manual (332 pages) ,
- Configuration manual (318 pages) ,
- Command reference manual (137 pages)
Table of Contents
Advertisement
Rule
Keyword abbreviation is allowed.
To control the access to a
command, you must specify the
command immediately after the
view that has the command.
Do not include the vertical bar (|),
greater-than sign (>), or double
greater-than sign (>>) when you
specify display commands in a
user role command rule.
Examples
# Permit the user role role1 to execute the display acl command.
<Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command display acl
# Permit the user role role1 to execute all commands that start with the display keyword.
[Sysname-role-role1] rule 2 permit command display *
# Permit the user role role1 to execute the radius scheme aaa command in system view and use all
commands assigned to RADIUS scheme view.
[Sysname-role-role1] rule 3 permit command system ; radius scheme aaa
# Deny the access of role1 to any read or write command of any feature.
[Sysname-role-role1] rule 4 deny read write feature
# Deny the access of role1 to any read command of the aaa feature.
[Sysname-role-role1] rule 5 deny read feature aaa
# Permit role1 to access all read, write, and execute commands of the feature group
security-features.
[Sysname-role-role1] rule 6 permit read write execute feature-group security-features
# Permit role1 to access all read and write MIB nodes starting from the node with OID 1.1.2.
[Sysname-role-role1] rule 7 permit read write oid 1.1.2
Related commands
•
display role
•
display role feature
Guidelines
"debugging * event" command string represents all event debugging
commands available in user view.
You can specify a keyword by entering the first few characters of the
keyword. Any command that starts with this character string matches the
rule.
For example, "rule 1 deny command dis mpls lsp protocol static " denies
access to the commands display mpls lsp protocol static and display
mpls lsp protocol static-cr.
To control access to a command, you must specify the command
immediately behind the view to which the command is assigned. The
rules that control command access for any subview do not apply to the
command.
For example, the "rule 1 deny command system ; interface * ; *"
command string disables access to any command that is assigned to
interface view. However, you can still execute the acl number command
in interface view, because this command is assigned to system view
rather than interface view. To disable access to this command, use "rule
1 deny command system ; acl *;".
The system does not treat the redirect signs and the parameters that
follow the signs as part of command lines. However, in user role
command rules, these redirect signs and parameters are handled as
part of command lines. As a result, no rule that includes any of these
signs can find a match.
For example, "rule 1 permit command display debugging > log" can
never find a match. This is because the system has a display
debugging command but not a display debugging > log command.
64
Advertisement
Table of Contents
