Guest

Preview Tool

Cisco Bug: CSCup16035 - RBAC user denied access with show run subset commands

Last Modified

Mar 27, 2020

Products (1)

  • Cisco Nexus 7000 Series Switches

Known Affected Releases

6.2(99)

Description (partial)

Symptom:
RBAC user role rules do not allow "show running int xx" command when "show running" is not in permit list.

For example:
"show running int Eth1/4" is allowed only when "show running" is permitted as a higher rule. 
Without a permit statement for "show run", it is not possible to any sub-commands under show running

Unable to run "show int Eth1/4" with below config:
switch(config-role)# sh role name TEST

Role: TEST
  Description: new role
  Vlan policy: permit (default)
  Interface policy: deny. Permitted interfaces
  Ethernet1/4-6
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  26      permit  command                         show interface
  22      permit  command                         show running int Eth1/4
  5       permit  command                         configure ; interface Ethernet
* ; load*

Conditions:
RBAC requires exact interface name configured. 

For example, if you would like to permit sh run int command on Ethernet 1/4 interface, specify the exact interface name as it shows in running configuration
Configure "show run int Ethernet1/4"  -> works
"show run int Eth1/4" -> Doesn't work
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.