S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Each role can contain multiple users and each user can be part of multiple roles. For example, if role1
users are only allowed access to configuration commands, and role2 users are only allowed access to
debug commands, then if Joe belongs to both role1 and role2, he can access configuration as well as
If you belong to multiple roles, you can execute a union of all the commands permitted by these roles.
Access to a command takes priority over being denied access to a command. For example, suppose you
belong to a TechDocs group and you were denied access to configuration commands. However, you also
belong to the engineering group and have access to configuration commands. In this case, you will have
access to configuration commands.
Any role, when created, does not allow access to the required commands immediately. The administrator
must configure appropriate rules for each role to allow access to the required commands.
Configuring Roles and Profiles
To create an additional role or to modify the profile for an existing role, follow these steps:
switch# config t
switch(config)# role name techdocs
switch(config)# no role name techdocs
Entire Tech Docs group
switch(config-role)# no description
Only users belonging to the network-admin role can create roles.
Configuring Rules and Features for Each Role
Up to 16 rules can be configured for each role. The user-specified rule number determines the order in
which the rules are applied. For example, rule 1 is applied before rule 2, which is applied before rule 3,
and so on. A user not belonging to the network-admin role cannot perform commands related to roles.
For example, if user A is permitted to perform all show commands, user A cannot view the output of the
show role command if user A does not belong to the network-admin role
Cisco MDS 9000 Family CLI Configuration Guide
Enters configuration mode.
Places you in the mode for the specified role (techdocs).
The role submode prompt indicates that you are
now in the role submode. This submode is now
specific to the techdocs group.
Deletes the role called techdocs.
Assigns a description to the new role. The description is
limited to one line and can contain spaces.
Resets the description for the Tech Docs group.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Configuring Users and Common Roles