Configuring feature policy

  1. Run the aaa authorization group command.
  2. Specify the group parameter.
  3. Specify the match-command parameter. You can specify one or more features.
  4. Specify the access: permit or deny.


If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule.

In this example, the network-admin role is granted access to the "feature:rwx:ospf" feature policy. The sequence parameter is used to give order to the sequence of commands to be executed.See: example

Configuring feature rules

# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit

# aaa authorization group "network-admin" 2 match-command "command:configure feature" permit log

# aaa authorization group "network-admin" 1 match-command "feature:rwx:ospf" permit log