S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
18-3
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
OL-9285-05
Chapter 18 Troubleshooting Users and Roles
Overview
Rules and Features for Each Role
Up to 16 rules can be configured for each role. The user-specified rule number determines the order in
which the rules are applied. For example, rule 1 is applied before rule 2, which is applied before rule 3,
and so on. A user not belonging to the network-admin role cannot perform commands related to roles.
For example, if user A is permitted to perform all
show
commands, user A cannot view the output of the
show role
command if user A does not belong to the network-admin role
The
rule
command specifies operations that can be performed by a specific role. Each rule consists of a
rule number, a rule type (permit or deny), a command type (for example,
config
,
clear
,
show
,
exec
,
debug
), and an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface).
Note
In this case,
exec
commands refer to all commands in the EXEC mode that do not fall in the
show
,
debug
, and
clear
categories.
The order of rule placement is important. For example, the first rule permits user access to all
config
commands. and the next rule denies FSPF configuration to the user. As a result, the user can perform all
config
commands except
fspf
configuration commands.
Note
If you had swapped these two rules and issued the
deny config feature fspf
rule first and issued the
permit config
rule next, you would be allowing the user to perform all configuration commands because
the second rule globally overrode the first rule.