Example of a rule set in operational mode
Operational mode has a rule set like the configuration mode that allows administrators to specify which operation mode commands a user is allowed to run. For example, as a protocol administrator, the user needs to execute only the show interfaces and show ip families of commands and, therefore, should not be allowed to run other administrative actions.
To define the operation mode rules for the protocol administrator group (protoadmin), perform the following steps in configuration mode.
Step | Description | Command |
---|---|---|
1 |
Create a rule allowing all operations on /show/ip for the protoadmin group. |
|
2 |
Create a rule allowing all operations on /show/interfaces for the protoadmin group. |
|
3 |
Create a rule allowing all operations on /configure for the protoadmin group. |
|
4 |
Deny all operations on all other paths for the protoadmin group. |
|
The following example shows the operational mode rule set that is configured in Defining the operational mode rules for the protocol administrator group.
super@vyatta# show system acm operational-ruleset
rule 10 {
action allow
command "/show/ip/*"
group protoadmin
}
rule 20 {
action allow
command "/show/interfaces/*"
group protoadmin
}
rule 30 {
action allow
command /configure
group protoadmin
}
rule 40 {
action deny
command "*"
group protoadmin
}
The following example shows system login information regarding the protoadmin group with a user called john as a member of that group.
super@vyatta# show system login
group protoadmin {
}
user john {
authentication {
encrypted-password *******
}
group protoadmin
level admin
}
super@vyatta#