V7 switch RBAC does not take effect

V7 switch RBAC does not take effect

The customer's requirement is that users in the XXXX role are only allowed to view and configure the port access VLAN of the port. 

The configuration is as follows: 

role name XXXX 

 rule 1 permit command system-view 

 rule 2 permit command interface * 

 rule 3 permit command display * 

 rule 4 permit command port access vlan 

The actual test found that it does not take effect. After logging in, enter the system view, and you can use almost all commands in the system view, such as configuring ospf, etc.: 

 sy System View: return to User View with Ctrl+Z. 

 [access 2]ospf 1 

 [access 2-ospf-1]

Read the command manual on the official website and found the following instructions: 

 If you want to describe the command in the multi-level view, you need to use a semicolon (;) to divide the command characteristic string into multiple segments. Each segment represents one or a series of commands. The commands in the latter segment are executed in the previous segment. The command in the view entered by the command. A segment can contain multiple asterisks (*), and each asterisk (*) represents 0 or more arbitrary characters. For example: the command character string "system; interface *; ip * ;" represents all commands beginning with ip after entering any interface view from the system view.

Modify the role configuration to the following configuration to meet customer needs

role name XXXX

  rule 1 permit command system-view; interface *; port access vlan *

  rule 2 permit command display *

Modify the role configuration to the following configuration to meet customer needs

role name XXXX

  rule 1 permit command system-view; interface *; port access vlan *

  rule 2 permit command display *