LI administrators must update the profile for model-driven configuration access to the LI region. Without the update, the LI administrator cannot provision LI in MD-CLI.
This step must be performed before a configuration mode migration from classic to mixed or model-driven configuration mode. The existing profile for LI under the config>system>security>profile context can only provide LI access to the LI administrator or the LI users for the classic CLI engine.
Profiles are not automatically updated for MD-CLI commands. The administrator is responsible for creating an LI filter list for the MD-CLI that is equivalent to the classic CLI. This is highly recommended for the li-separate and no li-separate commands. This step must be performed before the configuration mode migration.
The existing profile for LI access should, at a minimum, include the following:
config>system>security>profile
li
entry n
match "configure li"
action permit
At minimum, add the following MD-CLI commands to the existing LI profile that grants user access to LI commands:
entry n
match "li"
action permit
entry n+1
match "edit-config li"
action permit
entry n+2
match "admin save li"
action permit
entry n+3
match "commit"
action permit
entry n+4
match "compare"
action permit
entry n+5
match "tools perform management-interface configuration-mode"
action permit
entry n+6
match "quit-config li"
action permit
entry n+7
match ‟state li”
action permit
It is recommended to block the following access for all other users. This is accomplished either through default-action deny or through explicit deny commands. The following are the recommended MD-CLI commands that deny access to specific users:
entry n
match "li"
action deny
entry n+1
match "edit-config li"
action deny
entry n+2
match "admin save li"
action deny
entry n+3
match ‟state li”
action deny