66
•
If a predefined user role rule and a user-defined user role rule conflict, the user-defined user
role rule takes effect.
The following guidelines apply to OID rules:
•
The system compares an OID with the OIDs specified in rules, and it uses the longest match
principle to select a rule for the OID. For example, a user role cannot access the MIB node with
OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following
commands:
{
rule 1 permit read write oid 1.3.6
{
rule 2 deny read write oid 1.3.6.1.4.1
{
rule 3 permit read write oid 1.3.6.1.4
•
If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For
example, a user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user
role contains rules configured by using the following commands:
{
rule 1 permit read write oid 1.3.6
{
rule 2 deny read write oid 1.3.6.1.4.1
{
rule 3 permit read write oid 1.3.6.1.4.1
You can configure a maximum of 256 user-defined rules for a user role. The total number of
user-defined user role rules cannot exceed 1024.
Any rule modification, addition, or removal for a user role takes effect only on the users who log in
with the user role after the change.
Access to the file system commands is controlled by both the file system command rules and the file
system feature rule.
A command with output redirection to the file system is permitted only when the command type write
is assigned to the file system feature.
When you specify a command string, follow the guidelines in
Table 9 Command string configuration rules
Rule Guidelines
Semicolon (;) is the delimiter.
Use a semicolon to separate the command of each view that you must
enter before you access a command or a set of commands. However, do
not use a semicolon to separate commands available in user view or any
view, for example,
display
and
dir
.
Each semicolon-separated segment must have a minimum of one
printable character.
To specify the commands in a view but not the commands in the view's
subviews, use a semicolon as the last printable character in the last
segment. To specify the commands in a view and the view's subviews,
the last printable character in the last segment must not be a semicolon.
For example, you must enter system view before you enter interface
view. To specify all commands starting with
ip
in any interface view, you
must use the "system ; interface * ; ip * ;" command string.
For another example, the "system ; radius scheme * ;" command string
represents all the commands that start with
radius scheme
in system
view. The "system ; radius scheme *" command string represents all the
commands that start with
radius scheme
in system view and all the
commands in RADIUS scheme view.
Asterisk (*) is the wildcard.
An asterisk represents zero or multiple characters.
In a non-last segment, you can use an asterisk only at the end of the
segment.
In the last segment, you can use an asterisk in any position of the
segment. If the asterisk appears at the beginning, you cannot specify
