The rule is the basic element of a role. A rule defines what operations the role allows the user to perform.
Up to 16 rules can be configured for each role. The user-specified rule number determines the order in which the rules are applied. Rules are applied in ascending order. For example, rule 1 is applied before rule 2, which is applied before rule 3, and so on. A user not belonging to the network-admin role cannot perform commands related to roles.
Note
A deny-all statement is assumed as rule 0 so that no action is possible for a user role unless explicitly permitted.
Each rule consists of a rule number, a rule type (permit or deny), a command type (for example, config, clear, show, exec, debug), and an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface).
Regardless of the read-write rule configured for a user role, some commands can be executed only through the predefined network-admin role. For example, if user A is permitted to perform all show commands, user A cannot view the output of the show role command if user A does not belong to the network-admin role.
In cases where a default role is applicable to all users, and a configured role is applicable for specific users, consider the following scenarios:
Same rule type (permit or deny): If the default role and the configured role for a specific user have the same rule type, the specific user will have access to all the rules of both the default role and the configured role.
If the default role, say A, has the following rules:
rule 5 permit show feature environment
rule 4 permit show feature hardware
rule 3 permit config feature ssh
rule 2 permit config feature ntp
rule 1 permit config feature tacacs+
and a specific user is assigned to the following role, say B, with one rule:
rule 1 permit config feature dpvm
the specific user will have access to the rules of both A and B.
Different rule type: If the default role and the configured role for a specific user have different rule types for a particular rule, the default role will override the conflicting rule statement of the configured role.
If the default role, say A, has the following rules:
rule 5 permit show feature environment
rule 4 permit show feature hardware
rule 3 permit config feature ssh
rule 2 permit config feature ntp
rule 1 permit config feature tacacs+
and a specific user is assigned to the following role, say B, with two rules:
rule 6 permit config feature dpvm
rule 2 deny config feature ntp
rule 2 of A and B are in conflict. In this case, A overrides the conflicting rule of B, and the user is assigned the remaining rules of A and B, including the overridden rule:
rule 6 permit config feature dpvm
rule 5 permit show feature environment
rule 4 permit show feature hardware
rule 3 permit config feature ssh
rule 2 permit config feature ntp → Overridden rule
rule 1 permit config feature tacacs+