4000 Router Series Fundamentals Command Reference

command command-string: Specifies a command string. The command-string argument is a

case-sensitive string of 1 to 128 characters, including the wildcard asterisk (*), the delimiters space and

tab, and all printable characters.

execute: Specifies the execute commands of a feature or feature group. An execute command (for

example, ping) executes a specific function or program.

read: Specifies the read commands of a feature or feature group. A read command (for example, display,

dir, more, or pwd) displays configuration or maintenance information.

write: Specifies the write commands of a feature or feature group. A write command (for example, ssh

server enable) configures the system.

feature [ feature-name ]: Specifies one or all features. The feature-name argument specifies a feature

name. If no feature name is specified, you specify all the features in the system. When you specify a

feature, you must enter its name exactly as displayed by display role feature, including the case.

feature-group feature-group-name: Specifies a user-defined or pre-defined feature group. The

feature-group-name argument represents the feature group name, a case-sensitive string of 1 to 31

characters. If the feature group has not been created, the rule takes effect after the group is created. To

display the feature groups that have been created, use the display role feature-group command.

web-menu [ web-string ]: Specifies a Web menu item. The web-string argument represents the path of the

Web menu item, a case-insensitive string of 1 to 512 characters. Use the slash (/) to separate menu folder

and file names, for example, M_DEVICE/I_BASIC_INFO/I_reboot. If you do not specify any Web menu

item, the rule applies to all Web items. Web menu items are not supported in this release.

xml-element [ xml-string ]: Specifies an XML element. The xml-string argument represents the path of the

XML element, a case-insensitive string of 1 to 512 characters. Use the slash (/) to separate element folder

and file names, for example, Interfaces/Index/Name. If you do not specify any XML element, the rule

applies to all XML elements.

all: Deletes all the user role rules.

Usage guidelines

You can define the following types of rules for different access control granularities:

• Command rule—Controls access to a command or a set of commands that match a regular

expression.

• Feature rule—Controls access to the commands of a feature by command type.

• Feature group rule—Controls access to the commands of a group of features by command type.

• Web menu rule—Controls access to Web menus. Web menus are not supported in this release.

• XML element rule—Controls access to XML elements.

You can configure up to 256 rules for a user role, but the total number of user role rules in the system

cannot exceed 1024.

A user role can access the set of permitted commands specified in its rules. User role rules include

predefined (identified by sys-n) and user-defined user role rules.

• If two user-defined rules of the same type conflict, the one with the higher ID takes effect. For

example, if rule 1 permits the ping command, rule 2 permits the tracert command, and rule 3

denies the ping command, the user role can use the tracert command but not the ping command.

• If a predefined user role rule and a user-defined user role rule conflict, the user-defined user role rule

takes effect.