Table of Contents
Advertisement
Rule
Keyword abbreviation is allowed.
To control the access to a
command, you must specify the
command immediately after the
view that has the command.
Do not include the vertical bar (|),
greater-than sign (>), or double
greater-than sign (>>) when you
specify display commands in a
user role command rule.
Examples
# Permit user role role1 to execute the display acl command.
<Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command display acl
# Permit user role role1 to execute all commands that start with the display keyword.
[Sysname-role-role1] rule 2 permit command display *
# Permit user role role1 to execute the radius scheme aaa command in system view and use all
commands assigned to RADIUS scheme view.
[Sysname-role-role1] rule 3 permit command system ; radius scheme aaa
# Deny the access of role1 to the read or write commands of all features.
[Sysname-role-role1] rule 4 deny read write feature
# Deny the access of role1 to the read commands of the aaa feature.
[Sysname-role-role1] rule 5 deny read feature aaa
# Permit role1 to access all read, write, and execute commands of feature group security-features.
[Sysname-role-role1] rule 6 permit read write execute feature-group security-features
# Permit role1 to access all read and write MIB nodes starting from the node with OID 1.1.2.
[Sysname-role-role1] rule 7 permit read write oid 1.1.2
Guidelines
In the last segment, you can use an asterisk in any position of the
segment. If the asterisk appears at the beginning, you cannot specify a
printable character behind the asterisk.
For example, the "system ; *" command string represents all commands
available in system view and all subviews of the system view. The
"debugging * event" command string represents all event debugging
commands available in user view.
You can specify a keyword by entering the first few characters of the
keyword. Any command that starts with this character string matches the
rule.
For example, "rule 1 deny command dis arp source *" denies access to
the commands display arp source-mac interface and display arp
source-suppression.
To control access to a command, you must specify the command
immediately behind the view to which the command is assigned. The
rules that control command access for any subview do not apply to the
command.
For example, the "rule 1 deny command system ; interface * ; *"
command string disables access to any command that is assigned to
interface view. However, you can still execute the acl advanced
command in interface view, because this command is assigned to
system view rather than interface view. To disable access to this
command, use "rule 1 deny command system ; acl *;".
The system does not treat the redirect signs and the parameters that
follow the signs as part of command lines. However, in user role
command rules, these redirect signs and parameters are handled as
part of command lines. As a result, no rule that includes any of these
signs can find a match.
For example, "rule 1 permit command display debugging > log" can
never find a match. This is because the system has a display
debugging command but not a display debugging > log command.
23
Advertisement
Chapters
Table of Contents
