Command Reference vA5(1.0) and earlier, Cisco ACE Application Control Engine
Role Configuration Mode Commands
Downloads: This chapterpdf (PDF - 89.0KB) The complete bookPDF (PDF - 28.65MB) | Feedback

Role Configuration Mode Commands

Table Of Contents

Role Configuration Mode Commands

(config-role) description

(config-role) rule


Role Configuration Mode Commands

Role configuration mode commands allow you to define various rules for users who are assigned a role and optionally, to describe a role definition. Roles determine the privileges that a user has, the commands a user can enter, and the actions that a user can perform in a particular context.

To assign a role and access role configuration mode, enter the role command in configuration mode. The CLI prompt changes to (config-role). For information about the commands in role configuration mode, see the commands in this section. Use the no form of this command to remove the user role assignment.

role name

no role name

Syntax Description

name

Identifier associated with a user role. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the context Admin user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

If you do not assign a user role to a new user, the default user role is Network-Monitor. For users that you create in the Admin context, the default scope of access is the entire device. For users that you create in other contexts, the default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair using the (config) username command.

Examples

To assign a role, enter:

host1/C1(config)# role TECHNICIAN
host1/C1(config-role)#
 
   

To remove the role from the configuration, enter:

host1/C1(config)# no role TECHNICIAN

Related Commands

This command has no related commands.

(config-role) description

To enter a description for the role, use the description command. Use the no form of this command to remove the role description from the configuration.

description text

no description

Syntax Description

text

Description for the role. Enter a description as an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Role configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

This example shows how to provide an additional description about a role:

host1/C1(config-role)# description DEFINES TECHNICIAN ROLE
 
   

To remove the description from the configuration, enter:

host1/C1(config)# no description DEFINES TECHNICIAN ROLE

Related Commands

This command has no related commands.

(config-role) rule

To assign privileges on a per-feature basis to a role, use the rule command. You can limit the features that a user has access to and the commands that the user can enter for that feature by configuring rules for roles. Use the no form of this command to remove the rule from a user role.

rule number {{permit | deny} {create | debug | modify | monitor} [feature {AAA | access-list | changeto | config-copy | connection | dhcp | exec-commands | fault-tolerant | inspect | interface | loadbalance | nat | pki | probe | real-inservice | routing | rserver | serverfarm | ssl | sticky | syslog | vip}]}

no rule number

Syntax DescriptionTo assign privileges on a per feature basis to a user role, use the rule command in role configuration mode.

number

Identifier of the rule and order of precedence. Enter a unique integer from 1 to 16. The rule number determines the order in which the ACE applies the rules, with a higher-numbered rule applied after a lower-numbered rule.

permit

Allows the role to perform the operations defined by the rest of the command keywords.

deny

Disallows the role to perform the operations defined by the rest of the command keywords.

create

Specifies commands for the creation of new objects or the deletion of existing objects (includes modify, debug, and monitor commands).

debug

Specifies commands for debugging problems (includes monitor commands).

modify

Specifies commands for modifying existing configurations (includes debug and monitor commands).

monitor

Specifies commands for monitoring resources and objects (show commands).

feature

(Optional) Specifies a particular ACE feature for which you are configuring this rule. The available features are listed below.

AAA

Specifies commands for authentication, authorization, and accounting.

access-list

Specifies commands for access control lists (ACLs). Includes ACL configuration, class maps for ACLs, and policy maps that contain ACL class maps.

changeto

Specifies the changeto command for user-defined roles. Users retain their privileges when accessing different contexts. By default, this command is disabled for user-defined roles.

config-copy

Specifies commands for copying the running-config to the startup-config, startup-config to the running-config, and copying both config files to the Flash disk (disk0:) or a remote server.

connection

Specifies commands for network connections.

dhcp

Specifies commands for Dynamic Host Configuration Protocol (DHCP).

exec-commands

Specifies the following command for user-defined roles: capture, debug, delete, gunzip, mkdir, move, rmdir, set, setup, system, tac-pac, untar, write, and undebug commands. By default, these command are disabled for user-defined roles.

fault-tolerant

Specifies commands for redundancy.

inspect

Specifies commands for packet inspection used in data-center security.

interface

Specifies all interface commands.

loadbalance

Specifies commands for load balancing (for the ACE appliance, this includes the application acceleration and optimization functions). Allows adding a load-balancing action in a policy map.

nat

Specifies commands for Network Address Translation (NAT) associated with a class map in a policy map used in data-center security.

pki

Specifies commands for Public Keyword Infrastructures (PKIs).

probe

Specifies commands for keepalives for real servers.

real-inservice

Specifies commands for placing a real server in service.

routing

Specifies all commands for routing, both global and per interface.

rserver

Specifies commands for physical servers.

serverfarm

Specifies commands for server farms.

ssl

Specifies commands for SSL.

sticky

Specifies commands for server persistence.

syslog

Specifies the system logging facility setup commands.

vip

Specifies commands for virtual IP addresses.


Command Modes

Role configuration mode.

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.

A2(1.3)

The changeto and exec-commands options were added to this command.


ACE Appliance Release
Modification

A1(7)

This command was introduced.

A3(2.2)

The changeto and exec-commands options were added to this command.


Usage Guidelines

(ACE appliance only) To allow a user with a customized role to work from the ACE Appliance Device Manager, you must configure the role with rules that permit the create operation for the config-copy and exec-commands features.

Examples

To configure a rule that allows a role to create and configure real servers, enter:

host1/C1(config-role)# rule 1 permit create rserver
 
   

To remove the rule from a role, enter:

host1/C1(config-role)# no rule 1 permit create rserver

Related Commands

This command has no related commands.