Creating roles and assigning rules
To create roles and assign rules to the configured roles, follow these steps:
Assign one or more rules:
Enabling authorization
Before you can create a role, you must enable the authorization commands for local users as follows:
Run the
aaa authorization commands
command.Specify the
local
parameter.
Creating a role
Create a role as follows:
Run the
aaa authorization local-user
command.Specify the
local-user
parameter.Specify the
group
parameter.Press
enter
.Enter a password.
In this example, a local-user user1
is
assigned to the network-admin
role.
Assigning a local-user
# aaa authentication local-user "user1" group "network-admin" password plaintext
Configuring command rules
Assign one or more command rules to a user as follows:
Run the
aaa authorization group
command.Specify the
group
parameter.Specify the
match-command
parameter. You can specify one or more rules.Specify the access:
permit
ordeny
.
In the following example, the network-admin
role
is given access to the router ospf
and ip
address
command.
Permit rule
# aaa authentication group “network-admin” 1 match-command “command:router ospf;ip address” permit log
In the following example, the network-admin
role
is denied access to the configure router ospf enable
command.
Deny rule
# aaa authorization group "network-admin" 1 match-command "command:configure router ospf enable" deny log
More information
aaa authorization group |
Configuring VLAN policy
Run the
aaa authorization group
command.Specify the
group
parameter.Specify the
match-command
parameter for the desired VLAN policy.Specify the access:
permit
ordeny
.
NOTE: If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule. | |
In this example, the network-admin
role
is denied access to the "policy:vlan:10-12,20,30-40"
VLAN
policy. The sequence
parameter is used to give
order to the sequence of commands to be executed.
Configuring VLAN policy rules
# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit
# aaa authorization group "network-admin" 2 match-command "command:configure vlan" permit log
# aaa authorization group "network-admin" 3 match-command "policy:vlan:10-12,20,30-40" deny log
Since only one VLAN policy rule can be assigned per role, if access is permitted for VLAN IDs 10 to 12, access to the rest of the VLAN IDs is denied for the same role. Similarly, if access is denied for VLAN IDs 10 to 12, then access to the rest of the VLAN IDs is permitted for the same role.
More information
aaa authorization group |
Configuring interface policy
Run the
aaa authorization group
command.Specify the
group
parameter.Specify the
match-command
parameter for the desired interface policy.Specify the access:
permit
ordeny
.
NOTE: If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule. | |
In this example, the network-admin
role
is denied access to the "policy:interface:A10-A12,A20,L20-L24"
interface
policy. The sequence
parameter is used to give
order to the sequence of commands to be executed.
Configuring interface policy rules
# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit
# aaa authorization group "network-admin" 2 match-command "command:configure interface" permit log
# aaa authorization group "network-admin" 3 match-command "policy:interface:A10-A12,A20,L20-L24" deny log
Since only one interface policy rule can be assigned per role, if access is permitted for A10 to A12, access to the rest of the interfaces is denied for the same role. Similarly if access is denied for A10 to A12, then access to rest of the interfaces is permitted for the same role.
More information
aaa authorization group |
Configuring feature policy
Run the
aaa authorization group
command.Specify the
group
parameter.Specify the
match-command
parameter. You can specify one or more features.Specify the access:
permit
ordeny
.
NOTE: If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule. | |
In this example, the network-admin
role
is granted access to the "feature:rwx:ospf"
feature
policy. The sequence
parameter is used to give
order to the sequence of commands to be executed.
Configuring feature rules
# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit
# aaa authorization group "network-admin" 2 match-command "command:configure feature" permit log
# aaa authorization group "network-admin" 1 match-command "feature:rwx:ospf" permit log
More information
aaa authorization group |