interface policy deny
Use interface policy deny to enter user role interface policy view.
Use undo interface policy deny to restore the default user role interface policy.
Syntax
interface policy deny
undo interface policy deny
Default
A user role has access to all interfaces.
Views
User role view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
To restrict the interface access of a user role to a set of interfaces, perform the following tasks:
Use interface policy deny to enter user role interface policy view.
Use permit interface to specify accessible interfaces.
![[NOTE: ]](images/note.png)
NOTE:
The interface policy deny command denies the access of the user role to all interfaces if the permit interface command is not configured.
To configure an interface, make sure the interface is permitted by the user role interface policy in use. You can perform the following tasks on an accessible interface:
Create, remove, or configure the interface.
Enter the interface view.
Specify the interface in feature commands.
The create and remove operations are available only for logical interfaces.
Any change to a user role interface policy takes effect only on users who log in with the user role after the change.
Examples
# Enter user role interface policy view of role1, and deny user role role1 to access all interfaces.
<Sysname> system-view [Sysname] role name role1 [Sysname-role-role1] interface policy deny [Sysname-role-role1-ifpolicy] quit
# Enter user role interface policy view of role1, and deny user role role1 to access all interfaces except FortyGigE 1/0/1 to FortyGigE 1/0/5.
<Sysname> system-view [Sysname] role name role1 [Sysname-role-role1] interface policy deny [Sysname-role-role1-ifpolicy] permit interface fortygige 1/0/1 to fortygige 1/0/5
Related commands
display role
permit interface
role