Rule set in operation for the security group
After the security group is created, non members of the group are unable to change the ACM or login information, even if they are members of the administrator group.
Consider two users, secadmin and cosadmin, who belong to the administrator group. Secadmin is a member of the security group. Cosadmin is not a member of the security group.
secadmin@vyatta:~$ configure
secadmin@vyatta# set system login user secadmin level superuser
secadmin@vyatta# commit
cosadmin@vyatta# set system login user cosadmin level superuser
access denied