Configuring rules for operational commands, Configuring rules for interface key-based commands – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Configuring rules for operational commands

Rules can be created for the specified operational commands. By default, every role can display all the
operational commands but cannot execute them. The show commands can be accessed by all the
roles.

The following rules govern operational commands:

• If a role has a rule with a read-write operation and the accept action for an operational command,

the user associated with this role can execute the command.

• If a role has a rule with a read-only operation and the accept action for an operational command,

the user associated with this role can access but cannot execute the command.

• If a role has a rule with a read-only or read-write operation and the reject action for an operational

command, the user associated with this role can neither access nor execute the command.

Configuring rules for interface key-based commands

By default, every role has the permission to read the configuration data related to all the instances of
the interfaces using the show running-config interface interface_name rbridge-id/slot/port command.

Rules can be created for a specific instance of the interface-related configuration commands.

The following rules govern interface key-based commands:

• If a role has a rule with a read-write operation and the accept action for only a particular instance of

the interface, the user associated with this role can only modify the attributes of that instance.

• If a role has a rule with a read-only operation and the accept action for only a particular instance of

the interface, the user associated with this role can only read (using the show running-config
command) the data related to that instance of the interface.

• If a role has a rule with a read-write operation and the reject action for only a particular instance of

the interface, the user associated with this role cannot execute and read the configuration data for
that interface instance.

In the following example, the rules are applicable only to a particular instance of the specified
interface.

switch(config)# rule 60 action accept operation read-write role NetworkAdmin

command interface tengigabitethernet 1/0/4

switch(config)# rule 65 action accept operation read-write role NetworkAdmin

command interface fcoe 1/0/4

switch(config)# rule 68 role NetworkAdmin action reject command interface

fortygigabitethernet 1/2/4

• If a role has a rule with a read-only or read-write operation and the reject action for an interface or

an instance of the interface, the user associated with this role cannot perform clear and show
operations related to those interfaces or interface instances. To perform clear and show operations,
the user’s role must have at least read-only and the accept permission. By default, every role has
the read-only and accept permission for all interface instances.

In the following example, the user associated with the NetworkAdmin role cannot perform clear and
show operations related to all tengigabitethernet instances.

switch(config)# rule 30 action accept operation read-write role NetworkAdmin

command interface tengigabitethernet

• If a role has a rule with read-only or read-write operation, and the reject action for an interface

tengigabitethernet and fcoe instances, the user associated with this role cannot perform clear and
show operations related to those instances. To perform clear and show operations related to
interface tengigabitethernet and fcoe instances, the user‘s role should have at least read-only and
accept permission. By default, every role has the read-onlyaccept permission for all interface
instances.

Configuring rules for operational commands

Network OS Administrator’s Guide

273

53-1003225-04