Configuration restrictions and guidelines
When you configure RBAC user role rules, follow these restrictions and guidelines:
Only the network-admin and level-15 user roles have access to the following commands:
The display history-command all command.
All commands that start with the display role, reboot, and startup saved-configuration keywords.
All commands that start with the role, undo role, super, undo super, password-recovery, and undo password-recovery keywords in system view.
Commands for creating SNMP communities, users, and groups in system view: snmp-agent community, snmp-agent usm-user, and snmp-agent group.
All commands that start with the user-role, undo user-role, authentication-mode, undo authentication-mode, set authentication password, and undo set authentication password keywords in user line view or user line class view.
All commands that start with the user-role and undo user-role keywords in schedule view or in CLI-defined policy view.
All commands of the event MIB feature.
You can configure a maximum of 256 user-defined rules for a user role. The total number of user-defined user role rules cannot exceed 1024.
Any rule modification, addition, or removal for a user role takes effect only on users that are logged in with the user role after the change.
The following guidelines apply to non-OID rules:
If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For example, a user role can use the tracert command but not the ping command if the user role contains rules configured by using the following commands:
rule 1 permit command ping
rule 2 permit command tracert
rule 3 deny command ping
If a predefined user role rule and a user-defined user role rule conflict, the user-defined user role rule takes effect.
The following guidelines apply to OID rules:
The system compares an OID with the OIDs specified in user role rules, and it uses the longest match principle to select a rule for the OID. For example, a user role cannot access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:
rule 1 permit read write oid 1.3.6
rule 2 deny read write oid 1.3.6.1.4.1
rule 3 permit read write oid 1.3.6.1.4
If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For example, a user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:
rule 1 permit read write oid 1.3.6
rule 2 deny read write oid 1.3.6.1.4.1
rule 3 permit read write oid 1.3.6.1.4.1