Rules

RBAC supports a maximum of 1000 rules per role. With RBAC, you can configure the access of a user to a limited set of VLAN, interfaces, features, and commands rules.

When a user logs into the system, the role and rules are mapped to their session data structure, as shown in RBAC rule mapping based on role per session.

RBAC rule mapping based on role per session

There are four types of rules:

More information

Creating roles and assigning rules
RBAC Overview
Roles

Command rules

The command rule indicates the absolute command path, including the command context that is taken into consideration while validating the commands. The command rule is specific to each user session.

The command parameter must contain the command context separated with a ; delimiter. For example, the command string that indicates the configuration of an IP address on any VLAN is as follows:

"configure;vlan;ip address"


[NOTE: ]

NOTE: The command strings are not validated. You must provide a valid command string.


Feature rules

The feature rule indicates that the feature is related to a command set. There are 40 predefined features. Each feature can have read, write, and execute privileges. You can configure multiple features for a single role. When you add a feature to a role, the command rule entries are included automatically for all the commands associated with that feature.

A feature can have the following permissions:

  • r: The read permission displays the configuration and maintenance information. For example, the display and show commands.

  • w: The write permission configures the feature in the system. For example, the ACL and the OSPF configuration commands.

  • x: The execute permission executes specific functions. For example, the ping and the copy commands.

More information

Predefined features

VLAN policy rules

To configure a VLAN policy rule, set the policy parameter to vlan. Only one VLAN policy rule is allowed per role. The opposite VLAN rule is applied to the rest of the VLAN IDs. For example, a policy rule “policy:vlan:2-4” permit gives access permission to user for VLANs 2 to 4 only and denies access to rest of the VLANs available in the system.

If you configure multiple VLAN policy rules, only the last entry is taken into effect. All other VLAN policy rules are ignored.


[NOTE: ]

NOTE: By default, VLAN policy rules allow all commands.


Interface policy rules

To configure an interface policy rule, set the policy parameter to the interface value. Only one interface policy rule is allowed per role. The opposite interface rule is applied to the rest of the interface IDs. For example, a policy rule “policy:interface:A2-A4” deny denies access permission to user for interfaces A2 to A4 only and permits access to rest of the interfaces available in the system.

If you configure multiple interface policy rules, only the last entry is taken into effect. All other interface policy rules are ignored.


[NOTE: ]

NOTE: By default, interface policy rules allow all commands.