36
xml-element [ xml-string ]: Specifies an XML element. The xml-string argument represents the
XPath of the XML element, a case-insensitive string of 1 to 255 characters. Use the forward slash (/)
to separate Xpath items, for example, Interfaces/Index/Name. If you do not specify an XML element,
the rule applies to all XML elements.
all: Specifies all the user role rules.
Usage guidelines
You can define the following types of rules for different access control granularities:
• Command rule—Controls access to a command or a set of commands that match a regular
expression.
• Feature rule—Controls access to the commands of a feature by command type.
• Feature group rule—Controls access to the commands of a group of features by command
type.
• XML element rule—Controls access to XML elements by element type.
• OID rule—Controls access to the specified MIB node and its child nodes by node type.
A user role can access the set of permitted commands, XML elements, and MIB nodes specified in
the user role rules. User role rules include predefined (identified by sys-n) and user-defined user role
rules.
You can configure a maximum of 256 user-defined rules for a user role. The total number of
user-defined user role rules cannot exceed 1024.
Any rule modification, addition, or removal for a user role takes effect only on the users who log in
with the user role after the change.
Access to the file system commands is controlled by both the file system command rules and the file
system feature rule.
A command with output redirection to the file system is permitted only when the command type write
is assigned to the file system feature.
The following guidelines apply to non-OID rules:
• If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For
example, a user role can use the tracert command but not the ping command if the user role
contains rules configured by using the following commands:
{ rule 1 permit command ping
{ rule 2 permit command tracert
{ rule 3 deny command ping
• If a predefined user role rule and a user-defined user role rule conflict, the user-defined user
role rule takes effect.
The following guidelines apply to OID rules:
• The system compares an OID with the OIDs specified in rules, and it uses the longest match
principle to select a rule for the OID. For example, a user role cannot access the MIB node with
OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following
commands:
{ rule 1 permit read write oid 1.3.6
{ rule 2 deny read write oid 1.3.6.1.4.1
{ rule 3 permit read write oid 1.3.6.1.4
• If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For
example, a user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user
role contains rules configured by using the following commands:
{ rule 1 permit read write oid 1.3.6
{ rule 2 deny read write oid 1.3.6.1.4.1
To Next Page
Loading...
Need help?
General