Parameters

Matching in authorization profiles allows the use of parameters and optional parameters. A set of angle brackets <...> indicates matching on a parameter value and/or optional parameter.

Note: Parameter values enclosed in angle brackets are optional in the MD-CLI.

The following rules govern parameter matching:

Rule 1

Any parameter value and/or optional parameter can be present in the match string.

Rule 2

When a parameter value and an optional parameter is present in the user-profile match string, all parameters or optional parameters to its left must also be stated/present.

Rule 3

The user can either specifically state or completely omit unnamed parameters in the match string, as required. However, all unnamed parameter in the CLI command must be present in the match string when matching on an unnamed parameter is used.

For example, consider the OSPF command:

*A:SwSim14# configure router ospf 
  - no ospf [<ospf-instance>]
  - ospf [<ospf-instance>] [<router-id>]

<ospf-instance>      : [0..31]
<router-id>          : <ip-address>

In this case, the user can match on OSPF to allow or deny the command per user-profile, as follows:

match ‟configure router ospf” action deny

Or the user can decide to only allow a specific OSPF instance for a user, as follows:

match ‟configure router ospf <ospf-instance-value> <router-id-value>”
Note: Although the user’s matching is based on <ospf-instance-value> that is ‟an unnamed value”, all other unnamed values in the OSPF command (such as the <router-id-value>) must also be present in the match string.

Rule 4

When multiple unnamed parameters are present in the match string, the parameters must be provided in the correct order as described in the command help to generate the correct match behavior. For example, using the order of parameters described in the OSPF command usage in Rule 3 above, use the following statement for a user-profile match:

match ‟configure router ospf <ospf-instance-value> <router-id-value>

The needed match behavior may not be achieved if the unnamed parameters <ospf-instance-value> and <router-id-value> are out of order with respect to the help screen.

The following displays a parameter matching output:

config>system>security>profile# info
                entry 10
                    match "show router <22> route-table "
                    action permit
                exit
                entry 20
                    match "configure service vprn <22>"
                    action read-only
                exit
                entry 30
                    match "show service id <22>"
                    action permit
                exit
                entry 40
                    match "configure router interface <system>"
                    action deny
                exit
Parent topic: Configuring local command authorization profiles