Configuration restrictions and guidelines
When you configure RBAC user role rules, follow these restrictions and guidelines:
You can configure up to 256 user-defined rules for a user role. The total number of user-defined user role rules cannot exceed 1024.
Any rule modification, addition, or removal for a user role takes effect only on users who are logged in with the user role after the change.
The following guidelines apply to non-OID rules:
If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For example, the user role can use the tracert command but not the ping command if the user role contains rules configured by using the following commands:
rule 1 permit command ping
rule 2 permit command tracert
rule 3 deny command ping
For level-0 to level-14 user roles, if a predefined user role rule and a user-defined user role rule conflict, the user-defined user role rule takes effect.
The following guidelines apply to OID rules:
The system compares an OID with the OIDs specified in user role rules, and it uses the longest match principle to select a rule for the OID. For example, a user role cannot access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:
rule 1 permit read write oid 1.3.6
rule 2 deny read write oid 1.3.6.1.4.1
rule 3 permit read write oid 1.3.6.1.4
If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For example, the user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:
rule 1 permit read write oid 1.3.6
rule 2 deny read write oid 1.3.6.1.4.1
rule 3 permit read write oid 1.3.6.1.4.1