Field	Description
Role	User role name. Predefined user role names include network-admin, network-operator, mdc-admin, mdc-operator, and level-n (where n represents an integer in the range of 0 to 15).
Description	User role description you have configured for easy identification.
VLAN policy	VLAN policy of the user role: · deny—Denies access to any VLAN except permitted VLANs. · permit (default)—Default VLAN policy, which enables the user role to access any VLAN.
Permitted VLANs	VLANs accessible to the user role.
Interface policy	Interface policy of the user role: · deny—Denies access to any interface except permitted interfaces. · permit (default)—Default interface policy, which enables the user role to access any interface.
Permitted interfaces	Interfaces accessible to the user role.
VPN instance policy	VPN instance policy of the user role: · deny—Denies access to any VPN except permitted VPNs. · permit (default)—Default VPN instance policy, which enables the user role to access any VPN instance.
Permitted VPN instances	VPNs accessible to the user role.
Rule	User role rule number. A user role rule specifies the permission to access a command or a set of commands. Predefined user role rules are identified by sys-n, where n represents an integer.
Perm	Access to the command: · permit—User role has access to the command. · deny—User role has no access to the command.
Type	Command type: · R—Read-only. · W—Write. · X—Execute.
Scope	Rule control scope: · command—Controls access to the command or commands, as specified in the Entity field. · feature—Controls access to the commands of the feature, as specified in the Entity field. · feature-group—Controls access to the commands of the features in the feature group, as specified in the Entity field.
Entity	Command string, feature name, or feature group specified in the user role rule: · An en dash (–) represents any feature. · An asterisk (*) represents zero or more characters.

Field	Description
Feature	Displays the name and brief function description of the feature.
system-view ; domain *	All the commands that start with domain in system view and all the commands in ISP domain view.
system-view ; header *	All the commands that start with header in system view.
display domain *	All the commands that start with display domain in user view.
system-view ; user-group *	All the commands that start with user-group in system view, and all the commands in user group view.
system-view ; local-user *	All the commands that start with local-user in system view, and all the commands in local user view.
display user-group *	All the commands that start with display user-group in user view.
display debugging local-server	All the commands that start with display debugging local-server in user view.
debugging local-server *	All the commands that start with debugging local-server in user view.
(W)	Command type is Write. A write command configures the system.
(R)	Command type is Read. A read command displays configuration or maintenance information.
(X)	Command type is Execute. An execute command executes a specific function.

display role feature-group

Use display role feature-group to display feature group information.

Syntax

display role feature-group [ name feature-group-name ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

name feature-group-name: Specifies a feature group. The feature-group-name argument represents the feature group name, a case-sensitive string of 1 to 31 characters. If no feature group is specified, the command displays information about all feature groups.

verbose: Displays the commands of each feature in the specified feature group. If no feature group is specified, this keyword enables displaying the commands of each feature in every feature group. If this keyword is not specified, the command displays only the feature lists of feature groups.

Usage guidelines

Feature groups L2 and L3 are predefined feature groups.

Examples

# Display the feature lists of feature groups.

<Sysname> display role feature-group

Feature group: L2

Feature: igmp-snooping (IGMP-Snooping related commands)

Feature: lacp (LACP related commands)

Feature: stp (STP related commands)

Feature: lldp (LLDP related commands)

Feature: dldp (DLDP related commands)

Feature: eoam (EOAM related commands)

Feature: loopbk-detect (Loopback-detection related commands)

Feature: vlan (Virtual LAN related commands)

Feature: evb (EVB related commands)

Feature group: L3

Feature: route (Route management related commands)

Feature: usr (Unicast static route related commands)

Feature: ospf (Open Shortest Path First protocol related commands)

Feature: rip (Routing Information Protocol related commands)

Feature: isis (ISIS protocol related commands)

Feature: bgp (Border Gateway Protocol related commands)

Feature: l3vpn (Layer 3 Virtual Private Network related commands)

Feature: route-policy (Routing Policy related commands)

Feature: multicast (Multicast related commands)

Feature: pim (Protocol Independent Multicast related commands)

Feature: igmp (Internet Group Management Protocol)

Feature: mld (Multicast Listener Discovery for IPv6)

# Display the commands in each feature group. For more information about the wildcards and marks used in the command list, see Table 2.

<Sysname> display role feature-group verbose

Feature group: L2

Feature: igmp-snooping (IGMP-Snooping related commands)

system-view ; igmp-snooping (W)

system-view ; vlan * ; igmp-snooping * (W)

system-view ; interface * ; igmp-snooping * (W)

display igmp-snooping * (R)

reset igmp-snooping * (W)

debugging igmp-snooping * (W)

display debugging igmp-snooping * (R)

Feature: lacp (LACP related commands)

display link-aggregation * (R)

display lacp * (R)

system-view ; link-aggregation lacp traffic-redirect-notification enable (W

)

system-view ; link-aggregation global load-sharing mode * (W)

system-view ; lacp * (W)

system-view ; interface * ; link-aggregation * (W)

system-view ; interface * ; port link-aggregation * (W)

system-view ; interface * ; lacp * (W)

system-view ; interface * ; service * (W)

reset lacp * (W)

debugging link-aggregation * (W)

display debugging link-aggregation * (R)

Feature: stp (STP related commands)

display stp * (R)

system-view ; stp * (W)

system-view ; interface * ; stp * (W)

reset stp * (W)

debugging stp * (W)

display debugging stp * (R)

Feature: lldp (LLDP related commands)

display lldp * (R)

system-view ; lldp * (W)

system-view ; interface * ; lldp * (W)

debugging lldp * (W)

display debugging lldp * (R)

debugging dcbx * (W)

display debugging dcbx * (R)

Feature: dldp (DLDP related commands)

display dldp * (R)

system-view ; dldp * (W)

system-view ; interface * ; dldp * (W)

reset dldp * (W)

debugging dldp * (W)

display debugging dldp * (R)

Feature: eoam (EOAM related commands)

display oam * (R)

system-view ; oam * (W)

system-view ; interface * ; oam * (W)

oam remote-loopback * (W)

reset oam * (W)

debugging oam * (W)

display debugging oam * (R)

Feature: loopbk-detect (Loopback-detection related commands)

display loopback-detection * (R)

system-view ; loopback-detection * (W)

system-view ; interface * ; loopback-detection * (W)

debugging loopback-detection * (W)

display debugging loopback-detection * (R)

Feature: vlan (Virtual LAN related commands)

display vlan * (R)

display port trunk (R)

display port hybrid (R)

display qinq * (R)

system-view ; qinq * (W)

system-view ; vlan * ; (W)

system-view ; interface * ; port link-type * (W)

system-view ; interface * ; port access vlan * (W)

system-view ; interface * ; port trunk pvid vlan * (W)

system-view ; interface * ; port trunk permit vlan * (W)

system-view ; interface * ; port hybrid pvid vlan * (W)

system-view ; interface * ; port hybrid vlan * (W)

system-view ; interface * ; qinq * (W)

system-view ; vlan * ; name * (W)

system-view ; vlan * ; description * (W)

system-view ; vlan * ; port * (W)

Feature: evb (EVB related commands)

display evb * (R)

system-view ; evb * (W)

system-view ; interface * ; evb * (W)

debugging evb * (W)

display debugging evb * (R)

Feature group: L3

Feature: route (Route management related commands)

display debugging rib * (R)

display ip routing-table * (R)

display ipv6 routing-table * (R)

display router id * (R)

reset ip routing-table statistics * (W)

reset ipv6 routing-table statistics * (W)

debugging rib * (W)

debugging ipv6 rib * (W)

system-view ; router id * (W)

Feature: usr (Unicast static route related commands)

display debugging usr * (R)

debugging usr * (W)

debugging ipv6 usr * (W)

system-view ; ip route-static * (W)

system-view ; ipv6 route-static * (W)

system-view ; delete static-routes * (W)

system-view ; delete ipv6 static-routes * (W)

system-view ; delete vpn-instance * (W)

system-view ; delete ipv6 vpn-instance * (W)

Feature: ospf (Open Shortest Path First protocol related commands)

display ospf * (R)

display ospfv3 * (R)

display debugging ospf * (R)

display debugging ospfv3 * (R)

reset ospf * (W)

debugging ospf * (W)

debugging ospfv3 * (W)

system-view ; ospf * (W)

system-view ; snmp-agent trap enable ospf * (W)

system-view ; interface * ; ospf * (W)

system-view ; ospfv3 * (W)

system-view ; interface * ; ospfv3 * (W)

Feature: rip (Routing Information Protocol related commands)

display rip * (R)

display ripng * (R)

reset rip * (W)

reset ripng * (W)

debugging rip * (W)

display debugging rip * (R)

debugging ripng * (W)

display debugging ripng * (R)

system-view ; rip * (W)

system-view ; interface * ; rip * (W)

system-view ; ripng * (W)

system-view ; interface * ; ripng * (W)

Feature: isis (ISIS protocol related commands)

display isis * (R)

reset isis * (W)

debugging isis * (W)

display debugging isis * (R)

system-view ; isis * (W)

system-view ; interface * ; isis * (W)

Feature: bgp (Border Gateway Protocol related commands)

display debugging bgp * (R)

display bgp * (R)

reset bgp * (W)

refresh bgp * (W)

debugging bgp * (W)

system-view ; snmp-agent trap enable bgp (W)

system-view ; bgp * (W)

Feature: l3vpn (Layer 3 Virtual Private Network related commands)

display ip vpn-instance * (R)

system-view ; ip vpn-instance * (W)

system-view ; interface * ; ip binding vpn-instance * (W)

Feature: route-policy (Routing Policy related commands)

display route-policy * (R)

display ip prefix-list * (R)

display ipv6 prefix-list * (R)

display debugging route-policy * (R)

display ip community-list * (R)

display ip as-path * (R)

display ip extcommunity-list * (R)

reset ip prefix-list * (W)

reset ipv6 prefix-list * (W)

debugging route-policy * (W)

system-view ; ip prefix-list * (W)

system-view ; ipv6 prefix-list * (W)

system-view ; route-policy * (W)

system-view ; ip community-list * (W)

system-view ; ip as-path * (W)

system-view ; ip extcommunity-list * (W)

Feature: multicast (Multicast related commands)

display multicast * (R)

display l2-multicast * (R)

reset multicast * (W)

debugging mfib * (W)

display debugging mfib * (R)

debugging l2mf * (W)

display debugging l2mf * (R)

debugging mrib * (W)

display debugging mrib * (R)

system-view ; multicast * (W)

system-view ; ip rpf-route-static * (W)

system-view ; delete ip rpf-route-static * (W)

system-view ; interface * ; multicast * (W)

Feature: pim (Protocol Independent Multicast related commands)

display pim * (R)

debugging pim * (W)

display debugging pim * (R)

system-view ; pim * (W)

system-view ; interface * ; pim * (W)

Feature: igmp (Internet Group Management Protocol)

display igmp * (R)

debugging igmp * (W)

display debugging igmp * (R)

reset igmp * (W)

system-view ; interface * ; igmp * (W)

Feature: mld (Multicast Listener Discovery for IPv6)

display mld * (R)

debugging mld * (W)

display debugging mld * (R)

reset mld * (W)

system-view ; interface * ; mld * (W)

# Display the feature list of the feature group L3.

<Sysname> display role feature-group name L3

Feature group: L3

Feature: route (Route management related commands)

Feature: usr (Unicast static route related commands)

Feature: ospf (Open Shortest Path First protocol related commands)

Feature: rip (Routing Information Protocol related commands)

Feature: isis (ISIS protocol related commands)

Feature: bgp (Border Gateway Protocol related commands)

Feature: l3vpn (Layer 3 Virtual Private Network related commands)

Feature: route-policy (Routing Policy related commands)

Feature: multicast (Multicast related commands)

Feature: pim (Protocol Independent Multicast related commands)

Feature: igmp (Internet Group Management Protocol)

Feature: mld (Multicast Listener Discovery for IPv6)

Related commands

· feature

· role feature-group

feature

Use feature to add a feature to a feature group.

Use undo feature to remove a feature from a feature group.

Syntax

feature feature-name

undo feature feature-name

Default

A user-defined feature group has no features.

Views

Feature group view

Predefined user roles

network-admin

mdc-admin

Parameters

feature-name: Specifies a feature name. You must enter the feature name exactly as it is displayed, including the case.

Usage guidelines

Repeat the feature command to add multiple features to a feature group.

Examples

# Add the security features AAA and ACL to the security group security-features.

<Sysname> system-view

[Sysname] role feature-group name security-features

[Sysname-featuregrp-security-features] feature aaa

[Sysname-featuregrp-security-features] feature acl

Related commands

· display role feature

· display role feature-group

· role feature-group

interface policy deny

Use interface policy deny to enter user role interface policy view.

Use undo interface policy deny to restore the default user role interface policy.

Syntax

interface policy deny

undo interface policy deny

Default

A user role has access to any interface.

Views

User role view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The interface policy deny command denies the access of a user role to any interface.

To restrict the interface access of a user role to only a set of interfaces:

1. Use interface policy deny to deny access to any interface.

2. Use permit interface to specify accessible interfaces.

To create, remove, or configure an interface, enter its interface view, or specify the interface in a feature command, you must make sure that the interface is permitted by the interface policy of any user role that you are logged in with. The create and remove operations are available only to logical interfaces.

Any change to a user role interface policy takes effect only on users that log in with the user role after the change.

Examples

# Deny the user role role1 to access any interface.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] interface policy deny

[Sysname-role-role1-ifpolicy] quit

# Deny the user role role1 to access any interface but GigabitEthernet 3/0/1 to GigabitEthernet 3/0/5.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] interface policy deny

[Sysname-role-role1-ifpolicy] permit interface GigabitEthernet 3/0/1 to GigabitEthernet 3/0/5

Related commands

· display role

· permit interface

· role

permit interface

Use permit interface to configure a list of interfaces accessible to a user role.

Use undo permit interface to disable the access of a user role to specific interfaces.

Syntax

permit interface interface-list

undo permit interface [ interface-list ]

Default

No permitted interfaces are configured in user role interface policy view. A user role cannot access any interface after you configure the interface policy deny command.

Views

User role interface policy view

Predefined user roles

network-admin

mdc-admin

Parameters

interface interface-list: Specifies a space-separated list of up to 10 interface items. Each interface item specifies one interface in the interface-type interface-number form or a range of interfaces in the interface-type interface-number to interface-type interface-number form. If an interface range is specified, the end interface must be the same type as the start interface and must have a higher interface number than the start interface.

Usage guidelines

To permit a user role to access an interface after you configure the interface policy deny command, you must add the interface to the permitted interface list of the policy. With the user role, you can create, remove, configure only the interfaces in the permitted interface list, enter their views, and specify them in a feature command. The create and remove operations are available only to logical interfaces.

You can repeat the permit interface command to add permitted interfaces to a user role interface policy.

The undo permit interface command removes the entire list of permitted interfaces if no interface is specified.

Any change to a user role interface policy takes effect only on users that log in with the user role after the change.

Examples

# Permit the user role role1 to access GigabitEthernet 3/0/1 and GigabitEthernet 3/0/5 to GigabitEthernet 3/0/7, enter interface view and VLAN view, and execute all the commands that are available in interface view and VLAN view.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] rule 1 permit command system-view ; interface *

[Sysname-role-role1] rule 2 permit command system-view ; vlan *

[Sysname-role-role1] interface policy deny

[Sysname-role-role1-ifpolicy] permit interface GigabitEthernet 3/0/1 GigabitEthernet 3/0/5 to GigabitEthernet 3/0/7

Verify that you cannot use the user role to work on any interfaces but GigabitEthernet 3/0/1 and GigabitEthernet 3/0/5 to GigabitEthernet 3/0/7:

# Verify that you can enter GigabitEthernet 3/0/1 interface view.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1]

# Verify that you can assign GigabitEthernet 3/0/5 to VLAN 10. In this example, the user role can access any VLAN because the default VLAN policy of the user role is used.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] port GigabitEthernet 3/0/5

# Verify that you cannot enter GigabitEthernet 3/0/2 interface view.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/2

Permission denied.

Related commands

· display role

· interface policy deny

· role

permit vlan

Use permit vlan to configure a list of VLANs accessible to a user role.

Use undo permit vlan to remove the permission for a user role to access specific VLANs.

Syntax

permit vlan vlan-id-list

undo permit vlan [ vlan-id-list ]

Default

No permitted VLANs are configured in user role interface policy view.

Views

User role VLAN policy

Predefined user roles

network-admin

mdc-admin

Parameters

vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by its VLAN ID or a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If a VLAN range is specified, vlan-id2 must be greater than vlan-id1.

Usage guidelines

To permit a user role to access a VLAN after you configure the vlan policy deny command, you must add the VLAN to the permitted VLAN list of the policy. With the user role, you can create, remove, or configure only the VLANs in the permitted interface list, enter their views, and specify them in a feature command.

You can repeat the permit vlan command to add permitted VLANs to a user role VLAN policy.

The undo permit vlan command removes the entire list of permitted VLANs if no VLAN is specified.

Any change to a user role VLAN policy takes effect only on users that log in with the user role after the change.

Examples

# Permit the user role role1 to access VLANs 2, 4, and 50 to 100, enter interface view and VLAN view and execute all the commands that are available in interface view and VLAN view.

<Sysname> system-view

[Sysname] role name role1

Sysname-role-role1] rule 1 permit command system-view ; interface *

[Sysname-role-role1] rule 2 permit command system-view ; vlan *

[Sysname-role-role1] vlan policy deny

[Sysname-role-role1-vlanpolicy] permit vlan 2 4 50 to 100

Verify that you cannot use the user role to work on any VLAN but VLANs 2, 4, and 50 to 100:

# Verify that you can create VLAN 100 and enter its view.

<Sysname> system-view

[Sysname] vlan 100

[Sysname-vlan100]

# Verify that you can add port GigabitEthernet 3/0/1 to VLAN 100 as an access port.

<Sysname> system-view

[Sysname] interface GigabitEthernet3/0/1

[Sysname-GigabitEthernet3/0/1] port access vlan 100

# Verify that you cannot create VLAN 101 or enter its view.

<Sysname> system-view

[Sysname] vlan 101

Permission denied.

Related commands

· display role

· role

· vlan policy deny

permit vpn-instance

Use permit vpn-instance to configure a list of VPNs accessible to a user role.

Use undo permit vpn-instance to disable the access of a user role to specific VPNs.

Syntax

permit vpn-instance vpn-instance-name&<1-10>

undo permit vpn-instance [ vpn-instance-name&<1-10> ]

Default

No permitted VPNs are configured in user role VPN instance policy.

Views

User role VPN instance policy view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name&<1-10>: Specifies a space-separated list of up to 10 MPLS L3VPN names. Each name is a case-sensitive string of 1 to 31 characters.

Usage guidelines

To permit a user role to access an MPLS L3VPN after you configure the vpn-instance policy deny command, you must add the VPN to the permitted VPN list of the policy. With the user role, you can create, remove, configure only the VPNs in the permitted VPN list, enter their views, and specify them in a feature command.

You can repeat the permit vpn-instance command to add permitted MPLS L3VPNs to a user role interface policy.

The undo permit interface command removes the entire list of permitted VPNs if no VPN is specified.

Any change to a user role VPN instance policy takes effect only on users that log in with the user role after the change.

Examples

# Permit the user role role1 to access VPN 1 and to execute all the commands available in system view and in the child views of system view.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] rule 1 permit command system-view ; *

[Sysname-role-role1] vpn policy deny

[Sysname-role-role1-vpnpolicy] permit vpn-instance vpn1

Verify that you cannot use the user role to work on any VPN but VPN 1:

# Verify that you can enter VPN1 view.

<Sysname> system-view

[Sysname] ip vpn-instance vpn1

[Sysname-vpn-instance-vpn1]

# Verify that you can assign the primary accounting server at 10.110.1.2 to the VPN in the RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 vpn-instance vpn1

# Verify that you cannot create the VPN vpn2 or enter its view.

<Sysname> system-view

[Sysname] ip vpn-instance vpn2

Permission denied.

Related commands

· display role

· role

· vpn-instance policy deny

role

Use role to create a user role and enter user role view. If the user role has been created, you directly enter the user role view.

Use undo role to delete a user role.

Syntax

role name role-name

undo role name role-name

Default

The system has 20 predefined user roles: network-admin, network-operator, mdc-admin, mdc-operator, and level-n (where n represents an integer in the range of 0 to 15).

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

name role-name: Specifies a username. The role-name argument is a case-sensitive string of 1 to 63 characters.

Usage guidelines

You can create up to 64 user roles in addition to the predefined user roles.

To change the permissions assigned to a user role, you must first enter its view.

You cannot delete the predefined user roles or change the permissions assigned to network-admin, network-operator, mdc-admin, mdc-operator or level-15.

If you are a local AAA authentication user logged in as network-operator or mdc-operator, you can change the password of your user account.

Examples

# Create the user role role1 and enter its view.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1]

Related commands

· display role

· interface policy deny

· rule

· vlan policy deny

· vpn-instance policy deny

role default-role enable

Use role default-role enable to enable the default user role feature for remote AAA users.

Use undo role default-role enable to restore the default.

Syntax

role default-role enable

undo role default-role enable

Default

The default user role function is disabled. Remote AAA users that do not have a user role cannot log in to the device.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

A remote AAA authentication user must have at least one user role to log in to the device. The default user role function enables a remote AAA authentication user that has not been authorized any user role to log in with a default user role.

You can configure the default user role function to enable a remote AAA authentication user that has not been assigned to any user role to log in with a default user role.

· For login to the default MDC, the default user role is network-operator.

· For login to a non-default MDC, the default user role is mdc-operator.

If remote AAA users have been assigned to user roles, they log in with the user roles.

Examples

# Enable the default user role feature.

<Sysname> system-view

[Sysname] role default-role enable

Related commands

role

role feature-group

Use role feature-group to create a user role feature group and enter user role feature group view.

Use undo role feature-group to delete a user role feature group.

Syntax

role feature-group name feature-group-name

undo role feature-group name feature-group-name

Default

Two user role feature groups, L2 and L3, are created.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

name feature-group-name: Specifies a feature group name. The feature-group-name argument is a case-sensitive string of 1 to 31 characters.

Usage guidelines

Assign a set of features to a user role feature group for easy permission assignment management.

In addition to the predefined feature groups L2 and L3, you can create up to 64 user role feature groups. The L2 feature group includes all Layer 2 feature commands, and the L3 feature group includes all Layer 3 feature commands. These predefined feature groups cannot be deleted.

After you create a user role feature group, you can use the display role feature command to display the features available in the system and use the feature command to add features to the feature group.

Examples

# Create the feature group security-features.

<Sysname> system-view

[Sysname] role feature-group name security-features

[Sysname-featuregrp-security-features]

Related commands

· display role feature-group

· display role feature

· feature

rule

Use rule to create or change a user role rule for controlling command access.

Use undo rule to delete a user role rule.

Syntax

rule number { deny | permit } { command command-string | { execute | read | write } * { feature [ feature-name ] | feature-group feature-group-name } }

undo rule { number | all }

Default

A user-defined user role has no rules and cannot use any command.

Views

User role view

Predefined user roles

network-admin

mdc-admin

Parameters

number: Specifies a rule number in the range of 1 to 256.

deny: Denies access to any specified command.

permit: Permits access to any specified command.

command command-string: Specifies a command string. The command-string argument is a case-insensitive string of 1 to 128 characters, including the wildcard asterisk (*), the delimiters space and tab, and all printable characters.

execute: Specifies the execute commands of a feature or feature group. An execute command (for example, ping) executes a specific function or program.

read: Specifies the read commands of a feature or feature group. A read command (for example, display, dir, more, or pwd) displays configuration or maintenance information.

write: Specifies the write commands of a feature or feature group. A write command (for example, ssh server enable) configures the system.

feature [ feature-name ]: Specifies one or all features. The feature-name argument specifies a feature name. If no feature name is specified, you specify all the features in the system. When you specify a feature, you must enter its name exactly as displayed by display role feature, including the case.

feature-group feature-group-name: Specifies a user-defined or pre-defined feature group. The feature-group-name argument represents the feature group name, a case-sensitive string of 1 to 31 characters. If the feature group has not been created, the rule takes effect after the group is created. To display the feature groups that have been created, use the display role feature-group command.

all: Deletes all the user role rules.

Usage guidelines

You can define the following types of rules for different access control granularities:

· Command rule—Controls access to a command or a set of commands that match a regular expression.

· Feature rule—Controls access to the commands of a feature by command type.

· Feature group rule—Controls access to the commands of a group of features by command type.

You can configure up to 256 rules for a user role, but the total number of user role rules in the system cannot exceed 1024.

A user role can access the set of permitted commands specified in its rules. If two rules conflict, the one with the higher ID takes effect. For example, if rule 1 permits the ping command, rule 2 permits the tracert command, and rule 3 denies the ping command, the user role can use the tracert command but not the ping command.

Any rule modification, addition, or removal for a user role takes effect only on the users that log in with the user role after the change.

When you specify a command string, follow the guidelines in Table 3.

Table 3 Command string configuration rules

Rule	Guidelines
Semicolon (;) is the delimiter.	Use a semicolon to separate the command of each view that you must enter before you access a command or a set of commands, except for the commands (for example, display and dir) available in user view or any view. Each semicolon-separated segment must have at least one printable character. To specify the commands in a view but not the commands in its subviews, use a semicolon as the last printable character in the last segment. To specify the commands in a view and its subviews, the last printable character in the last segment must not be a semicolon. For example, you must enter system view before you enter interface view. To specify all the commands that start with ip in any interface view, you must use the "system ; interface * ; ip * ;" command string. For another example, the "system ; radius scheme * ;" command string represents all the commands that start with radius scheme in system view. The "system ; radius scheme *" command string represents all the commands that start with radius scheme in system view and all the commands in RADIUS scheme view.
Asterisk (*) is the wildcard.	An asterisk represents zero or multiple characters. In a non-last segment, you can use an asterisk only at the end of the segment. In the last segment, you can use an asterisk in any position of the segment. If the asterisk appears at the beginning, you cannot specify any printable characters behind it. For example, the "system ; " command string represents all the commands available in system view and all its subviews, and the "debugging event" command string represents all event debugging commands available in user view.
Keyword abbreviation is allowed.	You can specify a keyword by entering its first few characters. Any command that starts with this character string matches the rule. For example "rule 1 deny command dis mpls lsp protocol static asbr" denies access to the commands display mpls lsp protocol static asbr and display mpls lsp protocol static-cr asbr.
To control the access to a command, you must specify the command immediately after the view that has the command.	To control access to a command, you must specify the command immediately behind the view to which the command is assigned. The rules that control command access for any subview do not apply to the command. For example, the "rule 1 deny command system ; interface * ; " command string disables access to any command that is assigned to interface view, but you can still execute the acl number command in interface view, because this command is assigned to system view rather than interface view. To disable access to this command, use "rule 1 deny command system ; acl ;".
Do not include the vertical bar (\|), greater-than sign (>), or double greater-than sign (>>) when you specify display commands in a user role command rule.	The system does not treat these redirect signs and the parameters that follow them as part of command lines, but in user role command rules, they are handled as part of command lines. As a result, no rule that includes any of these signs can find a match. For example, "rule 1 permit command display debugging > log" can never find a match, because the system has a display debugging command but not a display debugging > log command.

Examples

# Permit the user role role1 to execute the display acl command.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] rule 1 permit command display acl

# Permit the user role role1 to execute all commands that start with display.

[Sysname-role-role1] rule 2 permit command display *

# Permit the user role role1 to execute the radius scheme aaa command in system view and use all commands assigned to RADIUS scheme view.

[Sysname-role-role1] rule 3 permit command system ; radius scheme aaa

# Deny the access of role1 to any read or write command of any feature.

[Sysname-role-role1] rule 4 deny read write feature

# Deny the access of role1 to any read command of the feature aaa.

[Sysname-role-role1] rule 5 deny read feature aaa

# Permit role1 to access all read, write, and execute commands of the feature group security-features.

[Sysname-role-role1] rule 6 permit read write execute feature-group security-features

Related commands

· display role

· display role feature

· display role feature-group

· role

super

Use super to switch to a user role.

Syntax

super [ rolename ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

rolename: Specifies a user role, a case-sensitive string of 1 to 63 characters. The user role must exist in the system. If no user role is specified, this command switches the user role to network-admin or mdc-admin.

Usage guidelines

To switch the user role, an AUX or VTY user must pass authentication.

Examples

# Switch to the user role network-operator.

<Sysname> super network-operator

Password:

User privilege role is network-operator, and only those commands can be used that authorized to the role.

Related commands

· authentication super (Security Command Reference)

· super authentication-mode

· super password

super authentication-mode

Use super authentication-mode to set an authentication mode for user role switching.

Use undo super authentication-mode to restore the default.

Syntax

super authentication-mode { local | scheme } *

undo super authentication-mode

Default

Local password authentication applies.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

local: Enables local password authentication.

scheme: Enables remote AAA authentication.

Usage guidelines

The authentication setting applies only to AUX and VTY users. A console user can switch the user role without authentication.

For local password authentication, use the super password command to set a password.

For remote AAA authentication, set the username and password on the RADIUS or HWTACACS server.

If you specify both local and scheme keywords, the keyword first entered in the command takes precedence, as follows:

· scheme local—Enables remote-then-local authentication mode. The device first performs AAA authentication for user role switching. If the remote HWTACACS or RADIUS server does not respond or the AAA configuration on the device is invalid, local password authentication is performed.

· local scheme—Enables local-then-remote authentication mode. The device first performs local password authentication. If no switching password is configured, the device performs remote authentication.

For more information about AAA, see Security Configuration Guide.

Examples

# Enable local-only authentication for user role switching.

<Sysname> system-view

[Sysname] super authentication-mode local

# Enable remote-then-local authentication for user role switching.

<Sysname> system-view

[Sysname] super authentication-mode scheme local

Related commands

· authentication super (Security Command Reference)

· super password

super password

Use super password to set a password for switching to a user role.

Use undo super password to restore the default.

Syntax

super password [ role rolename ] { hash | simple } password

undo super password [ role rolename ]

Default

No password is set for user role switching.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

role rolename: Specifies a user role, a case-sensitive string of 1 to 63 characters. The user role must exist in the system. If no user role is specified, this command sets a switching password for user role network-admin or mdc-admin.

hash: Sets a hashed password.

simple: Sets a plaintext password. This password will be saved in hashed text for secrecy.

password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If hash is specified, it must be a string of 1 to 110 characters.

Usage guidelines

Set a switching password if you configure local password authentication for user role switching.

It is a good practice to specify different switching passwords for different user roles.

Examples

# Set the switching password to abc for the user role network-operator.

<Sysname> system-view

[Sysname] super password role network-operator simple abc

Related commands

super authentication-mode

vlan policy deny

Use vlan policy deny to enter the user role VLAN policy view.

Use undo vlan policy deny to restore the default user role VLAN policy.

Syntax

vlan policy deny

undo vlan policy deny

Default

A user role has no access to any VLAN.

Views

User role view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The vlan policy deny command denies the access of a user role to any VLAN.

To restrict the VLAN access of a user role to only a set of VLANs:

1. Use vlan policy deny to deny access to any VLAN.

2. Use permit vlan to specify accessible VLANs.

To create, remove, or configure a VLAN, enter its view, or specify the VLAN in a feature command, you must make sure that the VLAN is permitted by the VLAN policy of any user role that you are logged in with.

Any change to a user role VLAN policy takes effect only on users that log in with the user role after the change.

Examples

# Deny the access of role1 to any VLAN.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vlan policy deny

[Sysname-role-role1-vlanpolicy] quit

# Deny the access of role1 to any VLAN but VLANs 50 to 100.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vlan policy deny

[Sysname-role-role1-vlanpolicy] permit vlan 50 to 100

Related commands

· display role

· permit vlan

· role

vpn-instance policy deny

Use vpn-instance policy deny to enter user role VPN instance policy view.

Use undo vpn-instance policy deny to restore the default user role VPN instance policy.

Syntax

vpn-instance policy deny

undo vpn-instance policy deny

Default

A user role has access to any VPN.

Views

User role view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The vpn-instance policy deny command denies the access of a user role to any VPN.

To restrict the VPN access of a user role to only a set of VPNs:

1. Use vpn-instance policy deny to deny access to any VPN.

2. Use permit vpn-instance to specify accessible VPNs.

To create, remove, or configure an MPLS L3VPN, enter its view, or specify it in a feature command, you must make sure that the VPN is permitted by the VPN instance policy of any user role that you are logged in with.

Any change to a user role VPN instance policy takes effect only on users that log in with the user role after the change.

Examples

# Deny the access of user role role1 to any VPN.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vpn-instance policy deny

[Sysname-role-role1-vpnpolicy] quit

# Deny the access of user role role1 to any VPN but vpn2.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vpn-instance policy deny

[Sysname-role-role1-vpnpolicy] permit vpn-instance vpn2

Related commands

· display role

· permit vpn-instance

· role

01-Fundamentals Command Reference

RBAC commands

feature

role default-role enable

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us