System configuration is modeled after a tree structure and enables the user to filter any path of that tree. The system supports only absolute addressing that begins with / as the root and uses the wildcard operator (*) as the path language.

Operational mode paths are absolute and do not match their children if a wildcard operator (*) is not included at the end of the path. Therefore, not using the wildcard operator restricts the user to specific commands.

In the following example, rule 1 restricts the use of the show command to only show interfaces and rule 2 denies all other show commands.

rule 1 {
    action allow
    path "/show/interfaces"
}
rule 2 {
    action deny
    path "/show/*"
}