55
Ste
Command
Remarks
3. Configure rules for
the user role.
• Configure a command rule:
rule number { deny | permit }
command command-string
• Configure a feature rule:
rule number { deny | permit }
{ execute | read | write } * feature
[ feature-name ]
• Configure a feature group rule:
rule number { deny | permit }
{ execute | read | write } *
feature-group feature-group-name
• Configure an XML element rule:
rule number { deny | permit }
{ execute | read | write } *
xml-element [ xml-string ]
By default, a user-defined user role
does not have any rules or access to
any commands or XML elements.
Repeat this step to add a maximum of
256 rules to the user role.
IMPORTANT:
When you configure feature rules,
you can specify only features
available in the system. Enter feature
names the same as they are
displayed, including the case.
Configuring feature groups
Use feature groups to bulk assign command access permissions to sets of features. In addition to the
predefined feature groups, you can create a maximum of 64 custom feature groups and assign a feature
to multiple feature groups.
To configure a feature group:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a feature group
and enter feature group
view.
role feature-group name
feature-group-name
By default, the system has the following
predefined feature groups:
• L2—Includes all Layer 2 commands.
• L3—Includes all Layer 3 commands.
These two groups are not user configurable.
3. Add a feature to the
feature group.
feature feature-name
By default, a feature group does not have
any features.
IMPORTANT:
You can specify only features available in
the system. Enter feature names the same as
they are displayed, including the case.
Configuring resource access policies
Every user role has one interface policy, VLAN policy, and VPN instance policy. By default, these policies
permit user roles to access any interface, VLAN, and VPN. You can configure the policies of a
user-defined user role or a predefined level-n user role to limit its access to interfaces, VLANs, and VPNs.
The policy configuration takes effect only on users who are logged in with the user role after the
configuration.