user-group

Syntax

user-group <GROUP-NAME>

no user-group <GROUP-NAME>

Description

If <GROUP-NAME> does not exist, this command creates a local user group and then enters its context. If <GROUP-NAME> exists, this command enters the context for the specified <GROUP-NAME>. Within the <GROUP-NAME> context, several subcommands are available for working with rules that specify what CLI commands are permitted or denied for all members of the local group.

In addition to the three built-in user groups administrators, operators, and auditors, up to 29 user-defined local user groups can be defined. All users can be members of only one of the up to 32 groups.

The no form of this command deletes the specified user group. All members of the deleted group lose all command authorization privilege.

CAUTION:

Do not causally delete user-defined local user groups without understanding the implications. Although user-defined local user groups can be deleted with the respective members losing all privileges, the three built-in groups administrators, operators, and auditors are always available and their privileges are unchangeable.

Command context

config

Authority

Administrators or local user group members with execution rights for this command.

Subcommands

These subcommands are available within the user-defined local user group context (shown in the switch prompt as config-usr-grp-<GROUP-NAME>).

[<SEQ-NUM>] {permit | deny} cli command "<REGEX>"
no <SEQ-NUM>

Defines a CLI command privilege permit or deny rule. There is an implicit "deny .*" rule at the end of every user-defined group rule list. Members of a user-defined group without any permit rules have no CLI command privileges.

The no form of this subcommand deletes the specified (by sequence number) rule from the group.

NOTE:

Rule evaluation proceeds from lowest to highest sequence number until the first successful match, resulting in either CLI command permission or denial. Rule evaluation ceases upon first match. Therefore, rules for related CLI commands must be defined in most restrictive to least restrictive order.

<SEQ-NUM>

Specifies the CLI command rule sequence number. When omitted, a sequence number that is 10 greater the highest existing sequence number is auto-assigned. When no rules exist, the first auto-assigned sequence number is 10.

{permit | deny}
Sets the rule type as either permit or deny. Rule order is important. For example, these two related rules together authorize all show commands except for the show aaa commands.
switch(config-usr-grp-admuser2)#10 deny cli command "show aaa .*"
switch(config-usr-grp-admuser2)#20 permit cli command "show .*"
To achieve the wanted effect in this example, the deny rule must precede the permit rule. These two rules together achieve the following:
  • All show aaa commands match on rule 10, triggering command denial, and the immediate cessation of further rule evaluation. Matching on rule 20 is never attempted.

  • All other show commands (excluding show aaa commands) match on rule 20 and are therefore permitted.

<REGEX>

Specifies the CLI command matching criteria of the rule. The criteria can be expressed as ".*" which matches all commands. Otherwise, the criteria is expressed as a POSIX-compliant regular expression (regex) string starting with an exact match command token (for example show) followed by a regex representing command arguments. The first word must be a string that contains only alphanumeric or hyphen characters.

For example, to allow all commands starting with the word interface, the regex must be "interface .*" or just "interface". Using "interface.*" (without the space) is not supported. For example, "show .*" matches every show command. Consult the Extended regular expression information available at: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04.

Sample matching criteria Sample matched CLI command or specifier Matches
show .* show accounting log All show commands
bgp .* bgp router-id 1.1.1.1 All bgp commands
interface .* interface 1/1/1 All interface specifiers
vlan (3|4) vlan 3 VLAN 3 or 4
vlan [1-9] vlan 5 A single VLAN in the range 1 to 9
vlan ([1-9]|1[0-9]) vlan 19 A single VLAN in the range 1 to 19
[<SEQ-NUM>] comment <TEXT-STRING>
no <SEQ-NUM> comment

Adds a comment to an existing rule. The no form of this subcommand removes an existing comment.

switch(config-usr-grp-admuser2)# 10 comment Deny all show aaa commands.
switch(config-usr-grp-admuser2)# 20 comment Permit all other show commands.
switch(config-usr-grp-admuser2)#
switch(config-usr-grp-admuser2)# show running-config current-context 
user-group admuser2
    10 comment Deny all show aaa commands.
    10 deny cli command "show aaa .*"
    20 comment Permit all other show commands.
    20 permit cli command "show .*"
include <GROUP-NAME>
[no] include <GROUP-NAME>

Include all rules from the specified user-defined <GROUP-NAME>. Only one group can be included in the definition of another group. The content of the included group is effectively placed at the top of the rules list in the current group. If the specified <GROUP-NAME> does not exist, it is created.

The no form of this subcommand removes the specified included group from the current group. The specified included group must exist and must be included in the current group or else an error message is shown.

The name of the included group is shown at the top of the show user-group command for the group with the include.

In this example, group admuser1 is included in group admuser2. So the admuser1 rules are evaluated first and then the rules in the admuser2 group are only evaluated if no CLI command match occurs for the rules in group admuser1.
switch(config-usr-grp-admuser2)# include admuser1
switch(config-usr-grp-admuser2)# show user-group admuser2
User Group Summary
==================
Name            : admuser2
Type            : configuration
Included Group  : admuser1
Number of Rules : 2
User Group Rules
================
SEQUENCE NUM  ACTION     COMMAND                       COMMENT
------------- ---------- ----------------------------- --------------------------------
10            deny       show aaa .*                   Deny all show aaa commands.
20            permit     show .*                       Permit all other show commands.
resequence [<STARTING-SEQ-NUM> <INCREMENT>]
Resequences the CLI command authorization rules. When entered without the optional parameters the rules are resequenced with a <STARTING-SEQ-NUM> of 10 and an <INCREMENT> of 10.
<STARTING-SEQ-NUM>

Specifies the starting sequence number.

<INCREMENT>

Specifies the sequence number increment.

Resequencing the rules to start at 100 with an increment of 20:

switch(config-usr-grp-admuser2)# resequence 100 20
switch(config-usr-grp-admuser2)# show running-config current-context 
user-group admuser2
    100 comment Deny all show aaa commands.
    100 deny cli command "show aaa .*"
    120 comment Permit all other show commands.
    120 permit cli command "show .*"

Resequencing the rules to the default of starting at 10 with an increment of 10:

switch(config-usr-grp-admuser2)# resequence
switch(config-usr-grp-admuser2)# show running-config current-context
user-group admuser2
    10 comment Deny all show aaa commands.
    10 deny cli command "show aaa .*"
    20 comment Permit all other show commands.
    20 permit cli command "show .*"
show running-config current-context
Shows all the commands used to configure the rules in the current group context.
switch(config-usr-grp-admuser2)# show running-config current-context 
user-group admuser2
    10 comment Deny all show aaa commands.
    10 deny cli command "show aaa .*"
    20 comment Permit all other show commands.
    20 permit cli command "show .*"
list
List the subcommands available within the user-defined group context.
exit
Exits the user-defined group context.
end
Exits the user-defined group context and then the config context.