Matching in authorization profiles allows the use of parameters and optional parameters. A set of angle brackets <...> indicates matching on a parameter value and/or optional parameter.
The following rules govern parameter matching:
Rule 1
Any parameter value and/or optional parameter can be present in the match string.
Rule 2
When a parameter value and an optional parameter is present in the user-profile match string, all parameters or optional parameters to its left must also be stated/present.
Rule 3
The user can either specifically state or completely omit unnamed parameters in the match string, as required. However, all unnamed parameter in the CLI command must be present in the match string when matching on an unnamed parameter is used.
For example, consider the OSPF command:
*A:SwSim14# configure router ospf
- no ospf [<ospf-instance>]
- ospf [<ospf-instance>] [<router-id>]
<ospf-instance> : [0..31]
<router-id> : <ip-address>
In this case, the user can match on OSPF to allow or deny the command per user-profile, as follows:
match ‟configure router ospf” action deny
Or the user can decide to only allow a specific OSPF instance for a user, as follows:
match ‟configure router ospf <ospf-instance-value> <router-id-value>”
Rule 4
When multiple unnamed parameters are present in the match string, the parameters must be provided in the correct order as described in the command help to generate the correct match behavior. For example, using the order of parameters described in the OSPF command usage in Rule 3 above, use the following statement for a user-profile match:
match ‟configure router ospf <ospf-instance-value> <router-id-value>
The needed match behavior may not be achieved if the unnamed parameters <ospf-instance-value> and <router-id-value> are out of order with respect to the help screen.
The following displays a parameter matching output:
config>system>security>profile# info
entry 10
match "show router <22> route-table "
action permit
exit
entry 20
match "configure service vprn <22>"
action read-only
exit
entry 30
match "show service id <22>"
action permit
exit
entry 40
match "configure router interface <system>"
action deny
exit