Rules
RBAC supports a maximum of 1000 rules per role. With RBAC, you can configure the access of a user to a limited set of VLAN, interfaces, features, and commands rules.
When a user logs into the system, the role and rules are mapped to their session data structure, as shown in RBAC rule mapping based on role per session.
There are four types of rules:
More information
Creating roles and assigning rules |
RBAC Overview |
Roles |
Command rules
The command rule indicates the absolute command path, including the command context that is taken into consideration while validating the commands. The command rule is specific to each user session.
The command
parameter must
contain the command context separated with a ;
delimiter.
For example, the command string that indicates the configuration of
an IP address on any VLAN is as follows:
"configure;vlan;ip address"
NOTE: The command strings are not validated. You must provide a valid command string. | |
Feature rules
The feature rule indicates that the feature is related to a command set. There are 40 predefined features. Each feature can have read, write, and execute privileges. You can configure multiple features for a single role. When you add a feature to a role, the command rule entries are included automatically for all the commands associated with that feature.
A feature can have the following permissions:
r
: The read permission displays the configuration and maintenance information. For example, thedisplay
andshow
commands.w
: The write permission configures the feature in the system. For example, the ACL and the OSPF configuration commands.x
: The execute permission executes specific functions. For example, theping
and thecopy
commands.
More information
Predefined features |
VLAN policy rules
To configure a VLAN policy rule, set the policy
parameter
to vlan
. Only one VLAN policy rule is allowed per
role. The opposite VLAN rule is applied to the rest of the VLAN IDs.
For example, a policy rule “policy:vlan:2-4” permit
gives
access permission to user for VLANs 2 to 4 only and denies access
to rest of the VLANs available in the system.
If you configure multiple VLAN policy rules, only the last entry is taken into effect. All other VLAN policy rules are ignored.
NOTE: By default, VLAN policy rules allow all commands. | |
Interface policy rules
To configure an interface policy rule, set the policy
parameter
to the interface
value. Only one interface policy
rule is allowed per role. The opposite interface rule is applied to
the rest of the interface IDs. For example, a policy rule “policy:interface:A2-A4”
deny
denies access permission to user for interfaces A2
to A4 only and permits access to rest of the interfaces available
in the system.
If you configure multiple interface policy rules, only the last entry is taken into effect. All other interface policy rules are ignored.
NOTE: By default, interface policy rules allow all commands. | |