38
Rule Guidelines
Do not include the vertical bar (|),
greater-than sign (>), or double
greater-than sign (>>) when you
specify
display
commands in a
user role command rule.
The system does not treat the redirect signs and the parameters that
follow the signs as part of command lines. However, in user role
command rules, these redirect signs and parameters are handled as
part of command lines. As a result, no rule that includes any of these
signs can find a match.
For example, "rule 1 permit command display debugging > log" can
never find a match. This is because the system has a
display
debugging
command but not a
display debugging
> log
command.
Examples
# Permit user role role1 to execute the display acl command.
<Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command display acl
# Permit user role role1 to execute all commands that start with the display keyword.
[Sysname-role-role1] rule 2 permit command display *
# Permit user role role1 to execute the radius scheme aaa command in system view and use all
commands assigned to RADIUS scheme view.
[Sysname-role-role1] rule 3 permit command system ; radius scheme aaa
# Deny the access of role1 to the read or write commands of all features.
[Sysname-role-role1] rule 4 deny read write feature
# Deny the access of role1 to the read commands of the aaa feature.
[Sysname-role-role1] rule 5 deny read feature aaa
# Permit role1 to access all read, write, and execute commands of feature group security-features.
[Sysname-role-role1] rule 6 permit read write execute feature-group security-features
# Permit role1 to access all read and write MIB nodes starting from the node with OID 1.1.2.
[Sysname-role-role1] rule 7 permit read write oid 1.1.2
Related commands
display role
display role feature
display role feature-group
role
super
Use super to obtain another user role without reconnecting to the device.
Syntax
super [ role-name ]
Views
User view
Predefined user roles
network-admin
To Next Page
Loading...
Need help?
General