aaa authorization group

Syntax

[no] aaa authorization group <GROUPNAME> <SEQ-NUM> match-command <command|feature|policy> {deny|permit} [log]

Description

Assigns rules to existing roles. Rules can be permitted or denied for a specified user.

Parameters

GROUPNAME

The name of the role.

SEQ-NUM

When more than one rule matches the command entered, the rule with the lowest sequence number gets precedence over the other rules.

command

Indicates that the rule requires context level information to validate the command string following this parameter.

feature

Indicates that it is a feature related to a command set. A feature can have the following permissions:

  • r: The read feature displays the configuration and maintenance information. For example, the display and show commands.

  • w: The write feature configures the feature in the system. For example, the ACL and the OSPF configuration commands.

  • x: The execute feature executes specific functions. For example, the ping and the copy commands.

There are 40 predefined features. Multiple features can be configured for a single role. When a feature is added to a role, the command rule entries are included automatically for all the commands for that feature.

policy

Indicates that it is a resource policy rule. There are two resource policies: VLAN and interface.

Options

deny

The specified match-command is denied for the specified group.

permit

The specified match-command is permitted for the specified group.

log

Generates a log message in the show logging output for the rule that is permitted or denied.