Preview Tool

Cisco Bug: CSCut29819 - User role hierarchy not working correctly, deny overrides permit

Last Modified

Nov 26, 2018

Products (14)

  • Cisco Nexus 5000 Series Switches
  • Cisco Nexus 5596UP Switch
  • Cisco Nexus 5548P Switch
  • Cisco Nexus 6004 Switch
  • Cisco Nexus 5624Q Switch
  • Cisco Nexus 6001 Switch
  • Cisco Nexus 5672UP Switch
  • Cisco Nexus 5020 Switch
  • Cisco Nexus 5696Q Switch
  • Cisco Nexus 56128P Switch
View all products in Bug Search Tool Login Required

Known Affected Releases

5.2(1)N1(7) 7.0(2)N1(1) 7.2(1)N1(1)

Description (partial)

User is a member of multiple roles and the role hierarchy is not working as designed.
When the user logs in and tries to execute a command that was permitted in one role and denied it another it fails.   That does not follow the rule:

If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the users also has RoleB, which has access to the configuration commands. In this case, the users has access to the configuration commands.

role name A_SERVER_ADMIN
   rule 70 permit command show cdp neighbor
   rule 60 permit command show vlan
   rule 50 deny command configure
   rule 40 permit command show mac address-table
   rule 30 permit command show running-config interfa
   rule 20 permit command show port-profile
   rule 10 permit command show inter
   vlan policy deny
interface policy deny
   vrf policy deny
username admin password 5 <removed>  role network-admin
username admin role A_SERVER_ADMIN

When logged in with the userid "admin" the user was unable to create a virtual interface:

conf t
interface vfc x

The interface was not created.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.