R211x-HP Flexfabric 11900 Fundamentals Command Reference
62
You can repeat the permit interface command to add permitted interfaces to a user role interface policy.
The undo permit interface command removes the entire list of permitted interfaces if no interface is
specified.
Any change to a user role interface policy takes effect only on users who log in with the user role after the
change.
Examples
1. Permit the user role role1 to access Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/5 to
Ten-GigabitEthernet 1/0/7, and to execute all commands available in interface view and VLAN
view.
<Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command system-view ; interface *
[Sysname-role-role1] rule 2 permit command system-view ; vlan *
[Sysname-role-role1] interface policy deny
[Sysname-role-role1-ifpolicy] permit interface ten-gigabitethernet 1/0/1
ten-gigabitethernet 1/0/5 to ten-gigabitethernet 1/0/7
2. Verify that you cannot use the user role to work on any interfaces but Ten-GigabitEthernet 1/0/1
and Ten-GigabitEthernet 1/0/5 to Ten-GigabitEthernet 1/0/7:
# Verify that you can enter Ten-GigabitEthernet 1/0/1 interface view.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1]
# Verify that you can assign Ten-GigabitEthernet 1/0/5 to VLAN 10. In this example, the user role
can access any VLAN because the default VLAN policy of the user role is used.
<Sysname> system-view
[Sysname] vlan 10
[Sysname-vlan10] port ten-gigabitethernet 1/0/5
# Verify that you cannot enter Ten-GigabitEthernet 1/0/2 interface view.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 1/0/2
Permission denied.
Related commands
• display role
• interface policy deny
• role
permit vlan
Use permit vlan to configure a list of VLANs accessible to a user role.
Use undo permit vlan to remove the permission for a user role to access specific VLANs.
Syntax
permit vlan vlan-id-list
undo permit vlan [ vlan-id-list ]