Application Control Engine Module Command Reference (Software Version A2(3.0))
Role Configuration Mode Commands
Download this chapter
Role Configuration Mode CommandsRole Configuration Mode Commands
Download the complete book
Cisco Application Control Engine Moduole Command Reference (Software Version A2(3.0))Cisco Application Control Engine Moduole Command Reference (Software Version A2(3.0)) (PDF - 13 MB)
give_us_feedback

Table Of Contents

Role Configuration Mode Commands

(config-role) description

(config-role) rule


Role Configuration Mode Commands

Role configuration mode commands allow you to define various rules for users who are assigned a role and optionally, to describe a role definition. Roles determine the privileges that a user has, the commands a user can enter, and the actions that a user can perform in a particular context.

To assign a role and access role configuration mode, enter the role command in configuration mode. The CLI prompt changes to (config-role). For information about the commands in role configuration mode, see the commands in this section. Use the no form of this command to remove the user role assignment.

role name

no role name

Syntax Description

name

Identifier associated with a user role. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

Release
Modification

3.0(0)A1(2)

This command was introduced.


Usage Guidelines

The commands in this mode require the context Admin user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

If you do not assign a user role to a new user, the default user role is Network-Monitor. For users that you create in the Admin context, the default scope of access is the entire device. For users that you create in other contexts, the default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair using the (config) username command.

Examples

To assign a role, enter: 

host1/C1(config)# role TECHNICIAN

host1/C1(config-role)#

To remove the role from the configuration, enter: 

host1/C1(config)# no role TECHNICIAN

Related Commands

This command has no related commands.

(config-role) description

To enter a description for the role, use the description command. Use the no form of this command to remove the role description from the configuration.

description text

no description

Syntax Description

text

Description for the role. Enter a description as an unquoted text string with a maximum of 240 alphanumeric characters.


Command Modes

Role configuration mode

Admin and user contexts

Command History

Release
Modification

3.0(0)A1(2)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

This example shows how to provide an additional description about a role: 

host1/C1(config-role)# description DEFINES TECHNICIAN ROLE

To remove the description from the configuration, enter: 

host1/C1(config)# no description DEFINES TECHNICIAN ROLE

Related Commands

This command has no related commands.

(config-role) rule

To assign privileges on a per-feature basis to a role, use the rule command. You can limit the features that a user has access to and the commands that the user can enter for that feature by configuring rules for roles. Use the no form of this command to remove the rule from a user role.

rule number {{permit | deny} {create | modify | debug | monitor} [feature {AAA | access-list | config-copy | connection | dhcp | fault-tolerant | inspect | interface | loadbalance | nat | pki | probe | real-inservice | routing | rserver | serverfarm | sticky | syslog | vip}]}

no rule number {{permit | deny} {create | modify | debug | monitor} [feature {AAA | access-list | config-copy | connection | dhcp | fault-tolerant | inspect | interface | loadbalance | nat | pki | probe | real-inservice | routing | rserver | serverfarm | sticky | syslog | vip}]}

Syntax DescriptionTo assign privileges on a per feature basis to a user role, use the rule command in role configuration mode.

number

Identifier of the rule and order of precedence. Enter a unique integer from 1 to 16. The rule number determines the order in which the ACE applies the rules, with a higher-numbered rule applied after a lower-numbered rule.

permit

Allows the role to perform the operations defined by the rest of the command keywords.

deny

Disallows the role to perform the operations defined by the rest of the command keywords.

create

Specifies commands for the creation of new objects or the deletion of existing objects (includes modify, debug, and monitor commands).

debug

Specifies commands for debugging problems (includes monitor commands).

modify

Specifies commands for modifying existing configurations (includes debug and monitor commands).

monitor

Specifies commands for monitoring resources and objects (show commands).

feature

(Optional) Specifies a particular ACE feature for which you are configuring this rule. The available features are listed below.

AAA

Specifies commands for authentication, authorization, and accounting.

access-list

Specifies commands for access control lists (ACLs). Includes ACL configuration, class maps for ACLs, and policy maps that contain ACL class maps.

config-copy

Specifies commands for copying the running-config to the startup-config, startup-config to the running-config, and copying both config files to the Flash disk (disk0:) or a remote server.

connection

Specifies commands for network connections.

dhcp

Specifies commands for Dynamic Host Configuration Protocol (DHCP).

fault-tolerant

Specifies commands for redundancy.

inspect

Specifies commands for packet inspection used in data-center security.

interface

Specifies all interface commands.

loadbalance

Specifies commands for load balancing. Allows adding a load-balancing action in a policy map.

nat

Specifies commands for Network Address Translation (NAT) associated with a class map in a policy map used in data-center security.

pki

Specifies commands for Public Keyword Infrastructures (PKIs).

probe

Specifies commands for keepalives for real servers.

real-inservice

Specifies commands for placing a real server in service.

routing

Specifies all commands for routing, both global and per interface.

rserver

Specifies commands for physical servers.

serverfarm

Specifies commands for server farms.

sticky

Specifies commands for server persistence.

syslog

Specifies the system logging facility setup commands.

vip

Specifies commands for virtual IP addresses.


Command Modes

Role configuration mode.

Command History

Release
Modification

3.0(0)A1(2)

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

To configure a rule that allows a role to create and configure real servers, enter: 

host1/C1(config-role)# rule 1 permit create rserver

To remove the rule from a role, enter: 

host1/C1(config-role)# no rule 1 permit create rserver

Related Commands

This command has no related commands.