rule command

Function

The rule command command creates a rule in a user group to allow a command or multiple commands to be executed in a specific view.

The undo rule command command cancels the configuration.

By default, no rule is configured in a user group.

Format

rule command rule-name { permit | deny } view view-name expression command-string

undo rule command rule-name

Parameters

Parameter Description Value
rule-name

Specifies the name of a rule.

The value is a string of 1 to 15 case-insensitive characters.
permit

Allows a command to be executed in a specific view.

-
deny

Prohibits a command from being executed in a specific view.

-
view view-name

Specifies the name of a view.

The value can be any view supported by the system.
expression command-string

Specifies a command or a batch of commands with the same prefix.

The value can be any command supported by the system.The value is a string of 1 to 1604 characters.

Views

User group view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
aaa write

Usage Guidelines

Usage Scenario

To provide granular management and flexible configuration and allow a command or a batch of commands with the same prefix to be executed in a view or prohibit them from being executed in a view, run the rule command command.The priorities of rules are displayed in descending order of rules configured in the user group view (including the rules inherited from other user groups using the include user-group command), rules configured in the task group view (rule command), and tasks configured in the task group (task).

Precautions

In the same user group, two rules with the same view and keyword cannot be configured. For example, if the sysname command is allowed to be executed in the system view in rule 1, the sysname command cannot be configured in a second rule.

If the rules configured in a user group conflict with the rules inherited from other user groups using the include user-group command, the rules configured in the user group take effect preferentially.

If the rule command command is run several times, the latest configuration overrides the previous one.

Example

# Create a rule in user group named group1 to allow the command to be executed in the system view.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] user-group group1
[*HUAWEI-aaa-user-group-group1] rule command command1 permit view system expression sysname
# Create a rule in user group named group1 to allow all the commands starting with hwtacacs to be executed in the system view.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] user-group group1
[*HUAWEI-aaa-user-group-group1] rule command command2 permit view system expression hwtacacs
# Create a rule in user group named group2 to deny the command to be executed in the system view.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] user-group group2
[*HUAWEI-aaa-user-group-group2] rule command command3 deny view system expression sysname
# Create a rule in user group named group2 to deny the execution of all the commands starting with hwtacacs in the system view.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] user-group group2
[*HUAWEI-aaa-user-group-group2] rule command command4 deny view system expression hwtacacs
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >