Command-access rules

Command authorization is defined in terms of rules that you associate with a user-defined role.

Rules define and restrict a role to access modes (read-only or read-write access), and beyond that can define permit or reject on specified command groups or individual commands. You can associate multiple rules with a given user-defined role, but you can associate only one role with any given user account.

The following rule parameters are mandatory:

index—a unique index number
role—the unique role with which you are associating the rule
command—the command to which the rule applies

The following rule parameters are optional:

operation—specifies the type of operation permitted (read-only or read-write). The default is read-write.
action—specifies whether the user is accepted or rejected while attempting to execute the specified command. The default value is accept.

The following example creates and assigns four rules to a role named "NetworkAdmin".

device(config)# rule 70 action accept operation read-write role NetworkAdmin command configure
device(config)# rule 71 action accept operation read-write role NetworkAdmin command copy running-config
device(config)# rule 72 action accept operation read-write role NetworkAdmin command interface management
device(config)# rule 73 action accept operation read-write role NetworkAdmin command clear logging

Note

Rules cannot be added for commands that are not at the top level of the command hierarchy. For a list of eligible commands, type ? after the command keyword.