When a user executes a command, rules are searched in ascending order by index for a match and the action of the first matching rule is applied. If none of the rules match, command execution is blocked. If there are conflicting permissions for a role in different indices, the rule with lowest index number is applied.
As an exception, when a match is found for a rule with the read-only operation and the accept action, the system seeks to determine whether there are any rules with the read-write operation and the accept action. If such rules are found, the rule with the read-write permission is applied.
In the following example, two rules with action accept are present and rule 11 is applied.
device(config)# rule 9 operation read-only action accept role NetworkAdmin command aaa device(config)# rule 11 operation read-write action accept role NetworkAdmin command aaa