Administrator's Guide v4.1.1 Manual

ManualsBrandsBrocade ManualsComputer AccessoriesNetwork OS

271

272

273

274

275

276

277

278

279

280

Command access rule attributes TABLE 47

Parameter Description

index A numeric identifier of the rule in the range between 1 and 512.

role The name of the role for which the rule is defined.

command The command for which access is defined.

operation Optional. Defines the general access mode granted by the rule. Access can be

read-only or read-write (default).

action Optional. A modifier restricting the general access mode. The specified access is

either accepted (accept) or rejected (reject). The default value is reject .

Specifying rule commands with multiple options

Commands consisting of multiple words indicating command hierarchy are separated by a space, as

shown in the following examples.

switch(config)# rule 70 action accept operation read-write role NetworkAdmin command

copy running-config

switch(config)# rule 71 action accept operation read-write role NetworkAdmin command

interface management

switch(config)# rule 72 action accept operation read-write role NetworkAdmin command

clear logging

NOTE

Rules cannot be added for commands that are not at the top level of the command hierarchy. For a list

of eligible commands, type the help function (? ) at the command prompt.

Verifying rules for configuration commands

You can display configuration data for a particular command by using the show running-config

command. By default, every role can access all the show running-config commands. For the

nondefault roles, even the permission to access the show running-config commands can be

modified by the authorized user (admin). The user must have the read-write permission for the

configure terminal command to execute any of the configuration commands.

The following rules govern configuration commands:

• If a role has a rule with a read-write operation and the accept action for a configuration command,

the user associated with this role can execute the command and read the configuration data.

• If a role has a rule with a read-only operation and the accept action for a configuration command,

the user associated with this role can only read the configuration data of the command.

• If a role has a rule with a read-only or read-write operation and the reject action for a configuration

command, the user associated with this role cannot execute the command and can read the

configuration data of the command.

Specifying rule commands with multiple options

272 Network OS Administrator’s Guide

53-1003225-04