rule
Use rule to create or change a user role rule for controlling access to commands, XML elements, or MIB nodes.
Use undo rule to delete a user role rule.
Syntax
rule number { deny | permit } { command command-string | { execute | read | write } * { feature [ feature-name ] | feature-group feature-group-name | oid oid-string | xml-element [ xml-string ] } }
undo rule { number | all }
Default
A user-defined user role does not have any rules and cannot use any command, XML element, or MIB node.
Views
User role view
Predefined user roles
network-admin
mdc-admin
Parameters
number: Specifies a rule number in the range of 1 to 256.
deny: Denies access to any specified command, XML element, or MIB node.
permit: Permits access to any specified command, XML element, or MIB node.
command command-string: Specifies a command string. The command-string argument is a case-sensitive string of 1 to 128 characters, including the following characters:
The wildcard asterisk (*).
The delimiters space and tab.
All printable characters.
execute: Specifies the execute commands, XML elements, or MIB nodes. An execute command (for example, ping), XML element, or MIB node executes a specific function or program.
read: Specifies the read commands, XML elements, or MIB nodes. A read command (for example, display, dir, more, or pwd), XML element, or MIB node displays configuration or maintenance information.
write: Specifies the write commands, XML elements, or MIB nodes. A write command (for example, ssh server enable), XML element, or MIB node configures the system.
feature [ feature-name ]: Specifies one or all features. The feature-name argument specifies a feature name. If you do not specify a feature name, you specify all the features in the system. When you specify a feature, you must enter the feature name as the name is displayed by display role feature, including the case.
feature-group feature-group-name: Specifies a user-defined or predefined feature group. The feature-group-name argument represents the feature group name, a case-sensitive string of 1 to 31 characters. If the feature group has not been created, the rule takes effect after the group is created. To display the feature groups that have been created, use the display role feature-group command.
oid oid-string: Specifies an OID of a MIB node. The oid-string argument represents the OID, a case-insensitive string of 1 to 512 characters. The OID is a dotted numeric string that uniquely identifies the path from the root node to this node. For example, 1.3.6.1.4.1.25506.8.35.14.19.1.1.
xml-element [ xml-string ]: Specifies an XML element. The xml-string argument represents the XPath of the XML element, a case-insensitive string of 1 to 512 characters. Use the forward slash (/) to separate Xpath items, for example, Interfaces/Index/Name. If you do not specify an XML element, the rule applies to all XML elements.
all: Deletes all the user role rules.
Usage guidelines
You can define the following types of rules for different access control granularities:
Command rule—Controls access to a command or a set of commands that match a regular expression.
Feature rule—Controls access to the commands of a feature by command type.
Feature group rule—Controls access to the commands of a group of features by command type.
XML element rule—Controls access to XML elements by element type.
OID rule—Controls access to the specified MIB node and its child nodes by node type.
A user role can access the set of permitted commands, XML elements, and MIB nodes specified in the user role rules. User role rules include predefined (identified by sys-n) and user-defined rules.
The following guidelines apply to non-OID rules:
If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For example, a user role can use the tracert command but not the ping command if the user role contains rules configured by using the following commands:
rule 1 permit command ping
rule 2 permit command tracert
rule 3 deny command ping
If a predefined user role rule and a user-defined user role rule conflict, the user-defined user role rule takes effect.
The following guidelines apply to OID rules:
The system compares an OID with the OIDs specified in rules, and it uses the longest match principle to select a rule for the OID. For example, a user role cannot access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:
rule 1 permit read write oid 1.3.6
rule 2 deny read write oid 1.3.6.1.4.1
rule 3 permit read write oid 1.3.6.1.4
If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For example, a user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:
rule 1 permit read write oid 1.3.6
rule 2 deny read write oid 1.3.6.1.4.1
rule 3 permit read write oid 1.3.6.1.4.1
You can configure a maximum of 256 user-defined rules for a user role. The total number of user-defined user role rules cannot exceed 1024.
Any rule modification, addition, or removal for a user role takes effect only on the users who log in with the user role after the change.
Access to the file system commands is controlled by both the file system command rules and the file system feature rule.
A command with output redirection to the file system is permitted only when the command type write is assigned to the file system feature.
When you specify a command string, follow the guidelines in Table 9.
Table 9: Command string configuration rules
Rule | Guidelines |
|---|---|
Semicolon (;) is the delimiter. | Use a semicolon to separate the command of each view that you must enter before you access a command or a set of commands. However, do not use a semicolon to separate commands available in user view or any view, for example, display and dir. Each semicolon-separated segment must have a minimum of one printable character. To specify the commands in a view but not the commands in the view's subviews, use a semicolon as the last printable character in the last segment. To specify the commands in a view and the view's subviews, the last printable character in the last segment must not be a semicolon. For example, you must enter system view before you enter interface view. To specify all commands starting with ip in any interface view, you must use the "system ; interface * ; ip * ;" command string. For another example, the "system ; radius scheme * ;" command string represents all the commands that start with radius scheme in system view. The "system ; radius scheme *" command string represents all the commands that start with radius scheme in system view and all the commands in RADIUS scheme view. |
Asterisk (*) is the wildcard. | An asterisk represents zero or multiple characters. In a non-last segment, you can use an asterisk only at the end of the segment. In the last segment, you can use an asterisk in any position of the segment. If the asterisk appears at the beginning, you cannot specify any printable characters behind the asterisk. For example, the "system ; *" command string represents all commands available in system view and all subviews of the system view. The "debugging * event" command string represents all event debugging commands available in user view. |
Keyword abbreviation is allowed. | You can specify a keyword by entering the first few characters of the keyword. Any command that starts with this character string matches the rule. For example, "rule 1 deny command dis arp source *" denies access to the commands display arp source-mac interface and display arp source-suppression. |
To control the access to a command, you must specify the command immediately after the view that has the command. | To control access to a command, you must specify the command immediately behind the view to which the command is assigned. The rules that control command access for any subview do not apply to the command. For example, the "rule 1 deny command system ; interface * ; *" command string disables access to any command that is assigned to interface view. However, you can still execute the acl number command in interface view, because this command is assigned to system view rather than interface view. To disable access to this command, use "rule 1 deny command system ; acl *;". |
Do not include the vertical bar (|), greater-than sign (>), or double greater-than sign (>>) when you specify display commands in a user role command rule. | The system does not treat the redirect signs and the parameters that follow the signs as part of command lines. However, in user role command rules, these redirect signs and parameters are handled as part of command lines. As a result, no rule that includes any of these signs can find a match. For example, "rule 1 permit command display debugging > log" can never find a match. This is because the system has a display debugging command but not a display debugging > log command. |
Examples
# Permit user role role1 to execute the display acl command.
<Sysname> system-view [Sysname] role name role1 [Sysname-role-role1] rule 1 permit command display acl
# Permit user role role1 to execute all commands that start with display.
[Sysname-role-role1] rule 2 permit command display *
# Permit user role role1 to execute the radius scheme aaa command in system view and use all commands assigned to RADIUS scheme view.
[Sysname-role-role1] rule 3 permit command system ; radius scheme aaa
# Deny the access of role1 to all read or write commands of all features.
[Sysname-role-role1] rule 4 deny read write feature
# Deny the access of role1 to all read commands of the aaa feature.
[Sysname-role-role1] rule 5 deny read feature aaa
# Permit role1 to access all read, write, and execute commands of feature group security-features.
[Sysname-role-role1] rule 6 permit read write execute feature-group security-features
# Permit role1 to access all read and write MIB nodes starting from the node with OID 1.1.2.
[Sysname-role-role1] rule 7 permit read write oid 1.1.2
Related commands
display role
display role feature
display role feature-group
role