Example of a rule set in configuration mode
To manage the routing protocols on the system, the user needs access to only the interface and the routing protocol subtrees in the configuration.
To configure RBAC, you must add the protocol administrator role or group.
To add the protocol administrator group and define the rules for this group of users, perform the following steps in configuration mode.
Step | Description | Command |
---|---|---|
1 | Create a protocol administrator group. | vyatta@R1#set system login group protoadmin |
2 | Add a user to the group. | vyatta@R1#set system login user johngroup protoadmin |
3 | Create a rule that allows all operations on /protocols. |
|
4 | Create a rule that allows all operations on /policy. |
|
5 | Create a rule that allows all operations on /interfaces. |
|
6 | Deny all operations on all other paths for users of the protoadmin group. |
|
The following example shows the configuration mode rule set that is configured in Adding a protocol administrator group and defining the rules for the group.
super@vyatta# show system acm ruleset
rule 10 {
action allow
group protoadmin
operation "*"
path /protocols
}
rule 20 {
action allow
group protoadmin
operation "*"
path /policy
}
rule 30 {
action allow
group protoadmin
operation "*"
path /interfaces
}
rule 40 {
action deny
group protoadmin
operation "*"
path "*"
}
The following example shows system login information regarding the protoadmin group with a user called john as a member of that group.
super@vyatta# show system login
group protoadmin {
}
user john {
authentication {
encrypted-password *******
}
group protoadmin
level admin
}
super@vyatta#