Cisco Bug: CSCup16035 - RBAC user denied access with show run subset commands
Last Modified
Mar 27, 2020
Products (1)
- Cisco Nexus 7000 Series Switches
Known Affected Releases
6.2(99)
Description (partial)
Symptom: RBAC user role rules do not allow "show running int xx" command when "show running" is not in permit list. For example: "show running int Eth1/4" is allowed only when "show running" is permitted as a higher rule. Without a permit statement for "show run", it is not possible to any sub-commands under show running Unable to run "show int Eth1/4" with below config: switch(config-role)# sh role name TEST Role: TEST Description: new role Vlan policy: permit (default) Interface policy: deny. Permitted interfaces Ethernet1/4-6 Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 26 permit command show interface 22 permit command show running int Eth1/4 5 permit command configure ; interface Ethernet * ; load* Conditions: RBAC requires exact interface name configured. For example, if you would like to permit sh run int command on Ethernet 1/4 interface, specify the exact interface name as it shows in running configuration Configure "show run int Ethernet1/4" -> works "show run int Eth1/4" -> Doesn't work
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Status
- Severity
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases