48
Configuration restrictions and guidelines
When you configure RBAC user role rules, follow these restrictions and guidelines:
You can configure a maximum of 256 user-defined rules for a user role. The total number of
user-defined user role rules cannot exceed 1024.
Any rule modification, addition, or removal for a user role takes effect only on users who are
logged in with the user role after the change.
The following guidelines apply to non-OID rules:
If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For
example, a user role can use the tracert command but not the ping command if the user role
contains rules configured by using the following commands:
ï‚¡ rule 1 permit command ping
ï‚¡ rule 2 permit command tracert
ï‚¡ rule 3 deny command ping
For level-0 to level-14 user roles, if a predefined user role rule and a user-defined user role rule
conflict, the user-defined user role rule takes effect.
The following guidelines apply to OID rules:
The system compares an OID with the OIDs specified in user role rules, and it uses the longest
match principle to select a rule for the OID. For example, a user role cannot access the MIB
node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using
the following commands:
ï‚¡ rule 1 permit read write oid 1.3.6
ï‚¡ rule 2 deny read write oid 1.3.6.1.4.1
ï‚¡ rule 3 permit read write oid 1.3.6.1.4
If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For
example, the user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the
user role contains rules configured by using the following commands:
ï‚¡ rule 1 permit read write oid 1.3.6
ï‚¡ rule 2 deny read write oid 1.3.6.1.4.1
ï‚¡ rule 3 permit read write oid 1.3.6.1.4.1
Configuration procedure
To configure rules for a user role:
1. Enter system view.
system-view
N/A
2. Enter user role view.
role name
role-name
N/A
3. Configure a rule.
•
Configure a command rule:
rule number { deny | permit }
command command-string
• Configure a feature rule:
rule number { deny | permit }
{ execute | read | write } * feature
[ feature-name ]
• Configure a feature group rule:
rule number { deny | permit }
{ execute | read | write
feature-group feature-group-name
By default, a user-defined user role
does not have any rules or access to
any command
MIB nodes.
Repeat this step to add a maximum
of 256 rules to the user role.
IMPORTANT:
When you configure feature rules,
you can specify only features
available in the system. Enter
To Next Page
Loading...
Need help?
General