Maybe it is formatting issue, but this is completely wrong:
rule 4 permit command system-view ; interface * ; undo shutdown interface policy deny permit interface GigabitEthernet1/1/13
You didn't get the idea. The role has only
two rules:
rule 3 permit command system-view ; interface * ; shutdown
rule 4 permit command system-view ; interface * ; undo shutdown
and one interface policy that defines which interfaces are accessible:
interface policy deny
permit interface GigabitEthernet1/1/13
permit interface GigabitEthernet1/2/3
The logic behind this is very simple - 'permit command' defines which commands are available. In our case those are two commands from interface context - 'shutdown' and 'undo shutdown'. These rules have global meaning, for all interfaces. And only then you define which interfaces are accessible by the user, for this purpose you use 'interface policy deny' context under which you 'permit' interfaces that should be accessible for the user. Thus you achieve your target - allow 'shutdown' and 'undo shutdown' commands, but only for certain interfaces.
Here is how the role should look like:
#
role name edit-inter-1-1-13
rule 3 permit command system-view ; interface * ; shutdown
rule 4 permit command system-view ; interface * ; undo shutdown
interface policy deny
permit interface GigabitEthernet1/1/13
permit interface GigabitEthernet1/2/3
#
------------------------------
Ivan Bondar
------------------------------
Original Message:
Sent: Dec 08, 2021 06:51 AM
From: Gadi Sontag
Subject: comware - role name
Hello
I try this solution
1. Lets shutdown all interfaces L
2. Unable to perform undo shutdown
Attach a config
role name edit-inter-1-1-13
rule 3 permit command system-view ; interface * ; shutdown
rule 4 permit command system-view ; interface * ; undo shutdown interface policy deny permit interface GigabitEthernet1/1/13
rule 5 permit command system-view ; interface * ; undo shutdown interface policy deny permit interface GigabitEthernet1/2/3
%xxxx SHELL/5/SHELL_CMDDENY: -Line=vty0-IPAddr=xxx-User=xxx; Command undo shutdown is permission denied.
Best regard
<\\\\\/////>
/ ^ \
( (o) (o) )
====oOOO====(_)====OOOo==========
Gadi sontag
Tel: 972-3-9275228
Mob: 972-52-5656228
E. mail: gadis@ladpc.co.il
Visit our site : http://www.ladpc.co.il
===============Oooo.==============
.oooO ( )
( ) ) /
\ ( (_/
Original Message:
Sent: 12/8/2021 5:17:00 AM
From: Ivan_B
Subject: RE: comware - role name
Hi Gadi,
Here is the solution:
#line vty 0 63 authentication-mode scheme user-role network-operator#role name edit-inter-1-1-13 rule 3 permit command system-view ; interface * ; shutdown rule 4 permit command system-view ; interface * ; undo shutdown interface policy deny permit interface GigabitEthernet1/1/13#domain system authentication login local authorization login local accounting default none# domain default enable system#local-user TEST class manage password hash <removed> service-type ssh https authorization-attribute user-role edit-inter-1-1-13 undo authorization-attribute user-role network-operator
Let me know if it works for you.
------------------------------
Ivan Bondar
Original Message:
Sent: Dec 08, 2021 02:44 AM
From: Gadi Sontag
Subject: comware - role name
hello
how i create role to authorize only edit interface ten 1/1/13 and do shut and bo shutdown ?
i try this one
role name edit-inter-1-1-13
rule 3 permit command "interface Ten-GigabitEthernet1/1/13"
rule 4 permit command shutdown
rule 5 permit command no shutdown
rule 6 deny command *
local-user TEST class manage
password hash xxx
service-type https ssh
authorization-attribute user-role edit-inter-1-1-13
best regard
gadi
------------------------------
Gadi Sontag
------------------------------