DELL N3000 User Manual
Configuring Authentication, Authorization, and Accounting
213
Administrative Profiles
The Administrative Profiles feature allows the network administrator to
define a list of rules that control the CLI commands available to a user. These
rules are collected in a “profile.” The rules in a profile can define the set of
commands, or a command mode, to which a user is permitted or denied
access.
Within a profile, rule numbers determine the order in which the rules are
Within a profile, rule numbers determine the order in which the rules are
applied. When a user enters a CLI command, rules within the first profile
assigned to the user are applied in descending order until there is a rule that
matches the input. If no rule permitting the command is found, then the
other profiles assigned to the user (if any) are searched for rules permitting
the command. Rules may use regular expressions for command matching. All
profiles have an implicit “deny all” rule, such that any command that does
not match any rule in the profile is considered to have been denied by that
profile.
A user can be assigned to more than one profile. If there are conflicting rules
A user can be assigned to more than one profile. If there are conflicting rules
in profiles, the “permit” rule always takes precedence over the “deny” rule.
That is, if any profile assigned to a user permits a command, then the user is
permitted access to that command. A user may be assigned up to 16 profiles.
A number of profiles are provided by default. These profiles cannot be altered
A number of profiles are provided by default. These profiles cannot be altered
by the switch administrator. See "Administrative Profiles" on page 240 for the
list of default profiles.
If the successful authorization method does not provide an administrative
If the successful authorization method does not provide an administrative
profile for a user, then the user is permitted access based upon the user's
privilege level. This means that, if a user successfully passes enable
authentication or if exec authorization assigns a privilege level, the user is
permitted access to all commands. This is also true if none of the
administrative profiles provided are configured on the switch. If some, but
not all, of the profiles provided in the authentication are configured on the
switch, then the user is assigned the profiles that exist, and a message is
logged that indicates which profiles could not be assigned.