Creating roles and assigning rules

To create roles and assign rules to the configured roles, follow these steps:

Enabling authorization

Before you can create a role, you must enable the authorization commands for local users as follows:

  1. Run the aaa authorization commands command.

  2. Specify the local parameter.

Enabling authorization commands

# aaa authorization commands local

Creating a role

Create a role as follows:

  1. Run the aaa authorization local-user command.

  2. Specify the local-user parameter.

  3. Specify the group parameter.

  4. Press enter.

  5. Enter a password.

In this example, a local-user user1 is assigned to the network-admin role.

Assigning a local-user

# aaa authentication local-user "user1" group "network-admin" password plaintext

Configuring command rules

Assign one or more command rules to a user as follows:

  1. Run the aaa authorization group command.

  2. Specify the group parameter.

  3. Specify the match-command parameter. You can specify one or more rules.

  4. Specify the access: permit or deny.

In the following example, the network-admin role is given access to the router ospf and ip address command.

Permit rule

# aaa authentication group “network-admin” 1 match-command “command:router ospf;ip address” permit log

In the following example, the network-admin role is denied access to the configure router ospf enable command.

Deny rule

# aaa authorization group "network-admin" 1 match-command "command:configure router ospf enable" deny log

More information

aaa authorization group

Configuring VLAN policy

  1. Run the aaa authorization group command.

  2. Specify the group parameter.

  3. Specify the match-command parameter for the desired VLAN policy.

  4. Specify the access: permit or deny.


[NOTE: ]

NOTE: If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule.


In this example, the network-admin role is denied access to the "policy:vlan:10-12,20,30-40" VLAN policy. The sequence parameter is used to give order to the sequence of commands to be executed.

Configuring VLAN policy rules

# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit

# aaa authorization group "network-admin" 2 match-command "command:configure vlan" permit log

# aaa authorization group "network-admin" 3 match-command "policy:vlan:10-12,20,30-40" deny log

Since only one VLAN policy rule can be assigned per role, if access is permitted for VLAN IDs 10 to 12, access to the rest of the VLAN IDs is denied for the same role. Similarly, if access is denied for VLAN IDs 10 to 12, then access to the rest of the VLAN IDs is permitted for the same role.

More information

aaa authorization group

Configuring interface policy

  1. Run the aaa authorization group command.

  2. Specify the group parameter.

  3. Specify the match-command parameter for the desired interface policy.

  4. Specify the access: permit or deny.


[NOTE: ]

NOTE: If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule.


In this example, the network-admin role is denied access to the "policy:interface:A10-A12,A20,L20-L24" interface policy. The sequence parameter is used to give order to the sequence of commands to be executed.

Configuring interface policy rules

# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit

# aaa authorization group "network-admin" 2 match-command "command:configure interface" permit log

# aaa authorization group "network-admin" 3 match-command "policy:interface:A10-A12,A20,L20-L24" deny log

Since only one interface policy rule can be assigned per role, if access is permitted for A10 to A12, access to the rest of the interfaces is denied for the same role. Similarly if access is denied for A10 to A12, then access to rest of the interfaces is permitted for the same role.

More information

aaa authorization group

Configuring feature policy

  1. Run the aaa authorization group command.

  2. Specify the group parameter.

  3. Specify the match-command parameter. You can specify one or more features.

  4. Specify the access: permit or deny.


[NOTE: ]

NOTE: If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule.


In this example, the network-admin role is granted access to the "feature:rwx:ospf" feature policy. The sequence parameter is used to give order to the sequence of commands to be executed.

Configuring feature rules

# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit

# aaa authorization group "network-admin" 2 match-command "command:configure feature" permit log

# aaa authorization group "network-admin" 1 match-command "feature:rwx:ospf" permit log

More information

aaa authorization group