Specifying rule commands with multiple options, Verifying rules for configuration commands – Brocade Network OS Administrator’s Guide v4.1.1 User Manual
Page 272

Command access rule attributes
TABLE 47
Parameter
Description
index
A numeric identifier of the rule in the range between 1 and 512.
role
The name of the role for which the rule is defined.
command
The command for which access is defined.
operation
Optional. Defines the general access mode granted by the rule. Access can be
read-only or read-write (default).
action
Optional. A modifier restricting the general access mode. The specified access is
either accepted (accept) or rejected (reject). The default value is reject .
Specifying rule commands with multiple options
Commands consisting of multiple words indicating command hierarchy are separated by a space, as
shown in the following examples.
switch(config)# rule 70 action accept operation read-write role NetworkAdmin command
copy running-config
switch(config)# rule 71 action accept operation read-write role NetworkAdmin command
interface management
switch(config)# rule 72 action accept operation read-write role NetworkAdmin command
clear logging
NOTE
Rules cannot be added for commands that are not at the top level of the command hierarchy. For a list
of eligible commands, type the help function (? ) at the command prompt.
Verifying rules for configuration commands
You can display configuration data for a particular command by using the show running-config
command. By default, every role can access all the show running-config commands. For the
nondefault roles, even the permission to access the show running-config commands can be
modified by the authorized user (admin). The user must have the read-write permission for the
configure terminal command to execute any of the configuration commands.
The following rules govern configuration commands:
• If a role has a rule with a read-write operation and the accept action for a configuration command,
the user associated with this role can execute the command and read the configuration data.
• If a role has a rule with a read-only operation and the accept action for a configuration command,
the user associated with this role can only read the configuration data of the command.
• If a role has a rule with a read-only or read-write operation and the reject action for a configuration
command, the user associated with this role cannot execute the command and can read the
configuration data of the command.
Specifying rule commands with multiple options
272
Network OS Administrator’s Guide
53-1003225-04