[no] profile user-profile-name
config>system>security
This command creates a context to create user profiles for CLI command tree permissions.
Profiles are used to either deny or allow user console access to a hierarchical branch or to specific commands.
After the profiles are created, the user command assigns users to one or more profiles. You can define up to 16 user profiles, but a maximum of 8 profiles can be assigned to a user.
The no form of the command deletes a user profile.
user-profile default
the user profile name entered as a character string. The string is case-sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.
default-action {deny-all | permit-all | none}
config>system>security>profile
This command specifies the default action to be applied when no match conditions are met.
none
sets the default of the profile to deny access to all commands
sets the default of the profile to allow access to all commands
The permit-all parameter does not change access to security commands. Security commands are only and always available to members of the admin-user profile.
sets the default of the profile to no-action. This option is useful to assign multiple profiles to a user.
For example, if a user is a member of two profiles and the default action of the first profile is permit-all, then the second profile will never be evaluated because permit-all is executed first. If the first profile default action is set to none and if no match conditions are met in the first profile, then the second profile will be evaluated. If the default action of the last profile is none and no explicit match is found, then the default-action deny-all takes effect.
[no] entry entry-id
config>system>security>profile
This command is used to create a user profile entry.
More than one entry can be created with unique entry-id numbers. The 7705 SAR exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.
The no form of the command removes the specified entry from the user profile.
no entry IDs are defined
an entry ID uniquely identifies a user profile command match criteria and a corresponding action. If more than one entry is configured, the entry-ids should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entries.
action {deny | permit}
config>system>security>profile>entry
This command configures the action associated with the profile entry.
specifies that commands matching the entry command match criteria will be denied
specifies that commands matching the entry command match criteria will be permitted
match command-string
no match
config>system>security>profile>entry
This command configures a command or command subtree.
Because the 7705 SAR exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated prior to this profile.
All commands below the hierarchy level of the matched command are denied.
The no form of this command removes a match condition.
no match command string is specified
the CLI command or CLI tree level that is the scope of the profile entry
renum old-entry-number new-entry-number
config>system>security>profile
This command renumbers profile entries to resequence the entries.
Because the 7705 SAR exits when the first match is found and executes the actions according to the accompanying action command, renumbering is useful to rearrange the entries from most explicit to least explicit.
the entry number of an existing entry
the new entry number