beautypg.com

Specifying rule commands with multiple options, Verifying rules for configuration commands – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Page 272

background image

Command access rule attributes

TABLE 47

Parameter

Description

index

A numeric identifier of the rule in the range between 1 and 512.

role

The name of the role for which the rule is defined.

command

The command for which access is defined.

operation

Optional. Defines the general access mode granted by the rule. Access can be
read-only or read-write (default).

action

Optional. A modifier restricting the general access mode. The specified access is
either accepted (accept) or rejected (reject). The default value is reject .

Specifying rule commands with multiple options

Commands consisting of multiple words indicating command hierarchy are separated by a space, as
shown in the following examples.

switch(config)# rule 70 action accept operation read-write role NetworkAdmin command

copy running-config

switch(config)# rule 71 action accept operation read-write role NetworkAdmin command

interface management

switch(config)# rule 72 action accept operation read-write role NetworkAdmin command

clear logging

NOTE
Rules cannot be added for commands that are not at the top level of the command hierarchy. For a list
of eligible commands, type the help function (? ) at the command prompt.

Verifying rules for configuration commands

You can display configuration data for a particular command by using the show running-config
command. By default, every role can access all the show running-config commands. For the
nondefault roles, even the permission to access the show running-config commands can be
modified by the authorized user (admin). The user must have the read-write permission for the
configure terminal command to execute any of the configuration commands.

The following rules govern configuration commands:

• If a role has a rule with a read-write operation and the accept action for a configuration command,

the user associated with this role can execute the command and read the configuration data.

• If a role has a rule with a read-only operation and the accept action for a configuration command,

the user associated with this role can only read the configuration data of the command.

• If a role has a rule with a read-only or read-write operation and the reject action for a configuration

command, the user associated with this role cannot execute the command and can read the
configuration data of the command.

Specifying rule commands with multiple options

272

Network OS Administrator’s Guide

53-1003225-04