Rules for interface commands

Rules can be created for a specific instance of the interface-related configuration commands.

By default, every role has the permission to read the configuration data related to all the instances of the interfaces using the show running-config interface command.

The following rules govern interface commands:

• If a role has a rule with a read-write operation and the accept action for only a particular instance of the interface, users associated with this role can only modify the attributes of that instance.
• If a role has a rule with a read-only operation and the accept action for only a particular instance of the interface, users associated with this role can only read (using the show running-config command) the data related to that instance of the interface.
• If a role has a rule with a read-write operation and the reject action for only a particular instance of the interface, users associated with this role cannot execute and read the configuration data for that interface instance.

  In the following example, the rules are applicable only to a particular instance of the specified interface.

  

  device(config)# rule 60 action accept operation read-write role NetworkAdmin command interface ethernet 1/4
  device(config)# rule 65 action accept operation read-write role NetworkAdmin command interface port-channel 2
  device(config)# rule 68 role NetworkAdmin action reject command interface ethernet 3/4
  

• If a role has a rule with a read-only or read-write operation and the reject action for an interface or an instance of the interface, users associated with this role cannot perform clear and show operations related to those interfaces or interface instances. To perform clear and show operations, the user‘s role must have at least read-only and the accept permission. By default, every role has the read-only and accept permission for all interface instances.
  In the following example, NetworkAdmin users cannot perform clear and show operations related to all ethernet instances.

  

  device(config)# rule 30 action accept operation read-write role NetworkAdmin command interface ethernet

• If a role has a rule with read-only or read-write operation, and the reject action for an interface ethernet instances, users associated with this role cannot perform clear and show operations related to those instances. To perform clear and show operations related to interface ethernet instances, the role should have at least read-only and accept permission. By default, every role has the read-only or accept permission for all interface instances.

  In the following example, users associated with the NetworkAdmin role cannot perform some of the clear and show operations related to all ethernet instances.

  

  device(config)# rule 30 role NetworkAdmin action reject command interface ethernet
  

• The dot1x option under the interface instance submode can only be configured if the role has the read-write and accept permissions for both the dot1x command and interface instances.
  In the following example, users associated with the CfgAdmin role can access and execute the dot1x command in ethernet instances.

  

  device(config)# rule 16 action accept operation read-write role cfgadmin command interface ethernet
  device(config)# rule 17 action accept operation read-write role cfgadmin command dot1x