aaa authorization group


[no] aaa authorization group <GROUPNAME> <SEQ-NUM>
     match-command {command | feature | policy} {deny | permit} [log]


Assigns rules to existing roles. Rules can be permitted or denied for a specified user.



The name of the role.


When more than one rule matches the command entered, the rule with the lowest sequence number gets precedence over the other rules.


Indicates that the rule requires context level information to validate the command string following this parameter.


Indicates that it is a feature related to a command set. A feature can have the following permissions:
  • r: The read feature displays the configuration and maintenance information. For example, the display and show commands.

  • w: The write feature configures the feature in the system. For example, the ACL and the OSPF configuration commands.

  • x: The execute feature executes specific functions. For example, the ping and the copy commands.

There are 40 predefined features. Multiple features can be configured for a single role. When a feature is added to a role, the command rule entries are included automatically for all the commands for that feature.


Indicates that it is a resource policy rule. There are two resource policies: VLAN and interface.


The specified match-command is denied for the specified group.


The specified match-command is permitted for the specified group.


Generates a log message in the show logging output for the rule that is permitted or denied.