Preview Tool

Cisco Bug: CSCup16035 - RBAC user denied access with show run subset commands

Last Modified

Mar 27, 2020

Products (1)

  • Cisco Nexus 7000 Series Switches

Known Affected Releases


Description (partial)

RBAC user role rules do not allow "show running int xx" command when "show running" is not in permit list.

For example:
"show running int Eth1/4" is allowed only when "show running" is permitted as a higher rule. 
Without a permit statement for "show run", it is not possible to any sub-commands under show running

Unable to run "show int Eth1/4" with below config:
switch(config-role)# sh role name TEST

Role: TEST
  Description: new role
  Vlan policy: permit (default)
  Interface policy: deny. Permitted interfaces
  Vrf policy: permit (default)
  Rule    Perm    Type        Scope               Entity
  26      permit  command                         show interface
  22      permit  command                         show running int Eth1/4
  5       permit  command                         configure ; interface Ethernet
* ; load*

RBAC requires exact interface name configured. 

For example, if you would like to permit sh run int command on Ethernet 1/4 interface, specify the exact interface name as it shows in running configuration
Configure "show run int Ethernet1/4"  -> works
"show run int Eth1/4" -> Doesn't work
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.