Configuring a placeholder rule, Configuring rule processing – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

In the following example, the user associated with the NetworkAdmin role cannot perform some of
the clear and show operations related to all tengigabitethernet instances.

switch(config)# rule 30 role NetworkAdmin action reject command interface

tengigabitethernet

• A rule created with the no-operation command does not enforce any authorization rules. Instead,

the no-operation instance can be considered as a placeholder for a valid command that will be
added later. For example:

switch(config)# rule 75 action reject operation read-write role NetworkAdmin

command no-operation

switch(config)# rule 75 command firmware

• The dot1x option under the interface instance submode can only be configured if the role has the

read-write and accept permissions for both the dot1x command and interface te instances.

In the following example, the user associated with the CfgAdmin role can access and execute the
dot1x command in the specified tengigabitethernet instance.

switch(config)# rule 16 action accept operation read-write role cfgadmin

command interface tengigabitethernet

switch(config)# rule 17 action accept operation read-write role cfgadmin

command dot1x

• To execute the no vlan and no spanning-tree commands under the submode of interface

tengigabitethernet instances, a user must have read-write and accept permissions for both the
vlan and the protocol spanning-tree commands. If a user has read-write and accept permissions
for the vlan and spanning-tree commands and read-write and accept permissions for at least one
interface instance, the user can perform the no vlan and no spanning-tree operations on the other
interface instances for which the user has only default permissions (read-only and accept).

Configuring a placeholder rule

A rule created with the no-operation command does not enforce any authorization rules. Instead, you
can use the no-operation instance as a placeholder for a valid command that is added later, as
shown in the following example.

1. In privileged EXEC mode, use the configure terminal command to enter global configuration

mode.

switch# configure terminal

Entering configuration mode terminal

2. Enter the rule command with the specified parameters and the no-operation keyword as a

placeholder.

switch(config)# rule 75 action reject operation read-write role NetworkAdmin

command no-operation

3. Enter the rule command with the specified command to replace the placeholder.

switch(config)# rule 75 command firmware

Configuring rule processing

When a user executes a command, rules are searched in ascending order by index for a match and
the action of the first matching rule is applied. If none of the rules match, command execution is
blocked. If there are conflicting permissions for a role in different indices, the rule with lowest index
number is applied.

As an exception, when a match is found for a rule with the read-only operation and the accept action,
the system seeks to determine whether there are any rules with the read-write operation and the
accept action. If such rules are found, the rule with the read-write permission is applied.

In the following example, two rules with action accept are present and rule 11 is applied.

switch(config)# rule 9 operation read-only action accept role NetworkAdmin command

aaa

switch(config)# rule 11 operation read-write action accept role NetworkAdmin command

aaa

Configuring a placeholder rule

274

Network OS Administrator’s Guide

53-1003225-04