58
Configuration restrictions and guidelines
When you configure RBAC user role rules, follow these restrictions and guidelines:
• You can configure a maximum of 256 user-defined rules for a user role. The total number of
user-defined user role rules cannot exceed 1024.
• Any rule modification, addition, or removal for a user role takes effect only on users who are
logged in with the user role after the change.
The following guidelines apply to non-OID rules:
• If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For
example, a user role can use the tracert command but not the ping command if the user role
contains rules configured by using the following commands:
{ rule 1 permit command ping
{ rule 2 permit command tracert
{ rule 3 deny command ping
• For level-0 to level-14 user roles, if a predefined user role rule and a user-defined user role rule
conflict, the user-defined user role rule takes effect.
The following guidelines apply to OID rules:
• The system compares an OID with the OIDs specified in user role rules, and it uses the longest
match principle to select a rule for the OID. For example, a user role cannot access the MIB
node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using
the following commands:
{ rule 1 permit read write oid 1.3.6
{ rule 2 deny read write oid 1.3.6.1.4.1
{ rule 3 permit read write oid 1.3.6.1.4
• If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For
example, a user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user
role contains rules configured by using the following commands:
{ rule 1 permit read write oid 1.3.6
{ rule 2 deny read write oid 1.3.6.1.4.1
{ rule 3 permit read write oid 1.3.6.1.4.1
Configuration procedure
To configure rules for a user role:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter user role view.
role name
role-name
N/A
3. Configure rules.
• Configure a command rule:
rule number { deny | permit }
command command-string
• Configure a feature rule:
rule number { deny | permit }
{ execute | read | write } * feature
[ feature-name ]
• Configure a feature group rule:
rule number { deny | permit }
{ execute | read | write } *
feature-group feature-group-name
By default, a user-defined user role
does not have any rules or access to
any commands, XML elements, or
MIB nodes.
Repeat this step to add a maximum
of 256 rules to the user role.
IMPORTANT:
When you configure feature rules,
you can specify only features
available in the system. Enter
To Next Page
Loading...
Need help?
General