`user-group`

Syntax

user-groupno user-group

Description

Ifdoes not exist, this command creates a local user group and then enters its context. Ifexists, this command enters the context for the specified. Within thecontext, several subcommands are available for working with rules that specify what CLI commands are permitted or denied for all members of the local group.

In addition to the three built-in user groupsadministrators,operators, andauditors, up to 29 user-defined local user groups can be defined. All users can be members of only one of the up to 32 groups.

The no form of this command deletes the specified user group. All members of the deleted group lose all command authorization privilege.

CAUTION:

Do not causally delete user-defined local user groups without understanding the implications. Although user-defined local user groups can be deleted with the respective members losing all privileges, the three built-in groupsadministrators,operators, andauditors总是可以和他们的特权unchangeable.

Command context

config

Authority

Administrators or local user group members with execution rights for this command.

Subcommands

These subcommands are available within the user-defined local user group context (shown in the switch prompt asconfig-usr-grp-).

[] {permit | deny} cli command ""

no

Defines a CLI command privilegepermitordenyrule. There is an implicit"deny .*"rule at the end of every user-defined group rule list. Members of a user-defined group without anypermitrules have no CLI command privileges.

The no form of this subcommand deletes the specified (by sequence number) rule from the group.

NOTE:

Rule evaluation proceeds from lowest to highest sequence number until the first successful match, resulting in either CLI command permission or denial. Rule evaluation ceases upon first match. Therefore, rules for related CLI commands must be defined in most restrictive to least restrictive order.

Specifies the CLI command rule sequence number. When omitted, a sequence number that is 10 greater the highest existing sequence number is auto-assigned. When no rules exist, the first auto-assigned sequence number is 10.

{permit | deny}

Sets the rule type as eitherpermitordeny. Rule order is important. For example, these two related rules together authorize allshowcommands except for theshow aaacommands.

switch(config-usr-grp-admuser2)#10 deny cli command "show aaa .*"switch(config-usr-grp-admuser2)#20 permit cli command "show .*"

To achieve the wanted effect in this example, thedenyrule must precede thepermitrule. These two rules together achieve the following:

Allshow aaacommands match on rule 10, triggering command denial, and the immediate cessation of further rule evaluation. Matching on rule 20 is never attempted.
All othershowcommands (excludingshow aaacommands) match on rule 20 and are therefore permitted.

Specifies the CLI command matching criteria of the rule. The criteria can be expressed as ".*" which matches all commands. Otherwise, the criteria is expressed as a POSIX-compliant regular expression (regex) string starting with an exact match command token (for exampleshow) followed by a regex representing command arguments. The first word must be a string that contains only alphanumeric or hyphen characters.

For example, to allow all commands starting with the wordinterface, the regex must be "interface .*" or just "interface". Using "interface.*" (without the space) is not supported. For example, "show .*"matches everyshowcommand. Consult the Extended regular expression information available at:https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04.

Sample matching criteria	Sample matched CLI command or specifier	Matches
`show .*`	`show accounting log`	All`show`commands
`bgp .*`	`bgp router-id 1.1.1.1`	All`bgp`commands
`interface .*`	`interface 1/1/1`	All interface specifiers
`vlan (3\|4)`	`vlan 3`	VLAN 3或4
`vlan [1-9]`	`vlan 5`	A single VLAN in the range 1 to 9
`vlan ([1-9]\|1[0-9])`	`vlan 19`	A single VLAN in the range 1 to 19

[] comment

nocomment

Adds a comment to an existing rule. The no form of this subcommand removes an existing comment.

switch(config-usr-grp-admuser2)#10 comment Deny all show aaa commands.switch(config-usr-grp-admuser2)#20 comment Permit all other show commands.switch(config-usr-grp-admuser2)# switch(config-usr-grp-admuser2)#show running-config current-contextuser-group admuser2 10 comment Deny all show aaa commands. 10 deny cli command "show aaa .*" 20 comment Permit all other show commands. 20 permit cli command "show .*"

include

(没有)包括

Include all rules from the specified user-defined. Only one group can be included in the definition of another group. The content of the included group is effectively placed at the top of the rules list in the current group. If the specifieddoes not exist, it is created.

The no form of this subcommand removes the specified included group from the current group. The specified included group must exist and must be included in the current group or else an error message is shown.

The name of the included group is shown at the top of theshow user-groupcommand for the group with theinclude.

In this example, groupadmuser1is included in groupadmuser2. So theadmuser1rules are evaluated first and then the rules in theadmuser2group are only evaluated if no CLI command match occurs for the rules in groupadmuser1.

switch(config-usr-grp-admuser2)#include admuser1switch(config-usr-grp-admuser2)#show user-group admuser2User Group Summary ================== Name : admuser2 Type : configuration Included Group : admuser1 Number of Rules : 2 User Group Rules ================ SEQUENCE NUM ACTION COMMAND COMMENT ------------- ---------- ----------------------------- -------------------------------- 10 deny show aaa .* Deny all show aaa commands. 20 permit show .* Permit all other show commands.

resequence []

Resequences the CLI command authorization rules. When entered without the optional parameters the rules are resequenced with a10个和一个of 10.

: Specifies the starting sequence number.
: Specifies the sequence number increment.

Resequencing the rules to start at 100 with an increment of 20:

switch(config-usr-grp-admuser2)#resequence 100 20switch(config-usr-grp-admuser2)#show running-config current-contextuser-group admuser2 100 comment Deny all show aaa commands. 100 deny cli command "show aaa .*" 120 comment Permit all other show commands. 120 permit cli command "show .*"

Resequencing the rules to the default of starting at 10 with an increment of 10:

switch(config-usr-grp-admuser2)#resequenceswitch(config-usr-grp-admuser2)#show running-config current-contextuser-group admuser2 10 comment Deny all show aaa commands. 10 deny cli command "show aaa .*" 20 comment Permit all other show commands. 20 permit cli command "show .*"

show running-config current-context

Shows all the commands used to configure the rules in the current group context.

switch(config-usr-grp-admuser2)#show running-config current-contextuser-group admuser2 10 comment Deny all show aaa commands. 10 deny cli command "show aaa .*" 20 comment Permit all other show commands. 20 permit cli command "show .*"

list

List the subcommands available within the user-defined group context.

exit

Exits the user-defined group context.

结束

Exits the user-defined group context and then the config context.