rule

Creates role-based access permissions (RBAC) associated with a role.

Syntax

rule index [ action { accept | reject } ] [ operation { read-only | read-write } ] role role_name command command_name

no rule index

Command Default

The default for action is accept. The default for operation is read-write.

Parameters

index: Specifies a numeric identifier for the rule. Valid values range from 1 through 512.
action accept | reject: (Optional) Specifies whether the user is accepted or rejected while attempting to execute the specified command. The default value is accept.
operation read-only | read-write: (Optional) Specifies the type of operation permitted. The default value is read-write.
role role_name: Specifies the name of the role for which the rule is defined.
command command_name: Specifies the command for which access is defined. Separate commands with a space. To display a list of supported commands, type a question mark (?).

Modes

Global configuration mode

Usage Guidelines

For each role that you create, you define one or more rules. Each account is associated with one—and only one—role.

When you create a rule, the index, role, and command operands are mandatory; the action and operation operands are optional.

The maximum number of rules is 512.

When you modify a rule, all operands except index and role are optional.

Enter no rule index to remove the specified rule.

Examples

The following example creates rules enabling the NetworkSecurityAdmin role to create user accounts.

device# configure terminal
device(config)# rule 150 action accept operation read-write role NetworkSecurityAdmin command config 
device(config)# rule 155 action accept operation read-write role NetworkSecurityAdmin command username

The following example deletes a rule.

device# configure terminal
device(config)# no rule 155