Role-Based CLI access enables the network administrator to create different views of router configurations for different users. Each view defines the CLI commands that each user can access.
Example: Configuring a CLI View
The following example shows how to configure two CLI views, “first” and “second”.
# First
Device(config)# parser view first inclusive
Device(config-view)# secret 5 firstpass
Device(config-view)# command exec exclude show version
Device(config-view)# command exec exclude configure terminal
Device(config-view)# command exec exclude all show ip
Device(config-view)# exit# Second
Device(config)# parser view second
Device(config-view)# secret 5 secondpass
Device(config-view)# command exec include-exclusive show ip interface
Device(config-view)# command exec include logout
Device(config-view)# exitVerify the CLI view in the running configurations.
Device(config-view)# do show running-config | beg view
parser view first inclusive
secret 5 $1$MCmh$QuZaU8PIMPlff9sFCZvgW/
commands exec exclude configure terminal
commands exec exclude configure
commands exec exclude all show ip
commands exec exclude show version
commands exec exclude show
!
parser view second
secret 5 $1$iP2M$R16BXKecMEiQesxLyqygW.
commands exec include-exclusive show ip interface
commands exec include show ip
commands exec include show
commands exec include logout
!Role-Based Views
Role-based CLI provides three types of views that dictate which commands are available:
- Root View - To configure any view for the system, the administrator must be in root view
- CLI View - A specific set of commands can be bundled into a CLI view.
- Superview - A superview consists of one or more CLI views.
Superview has several specific characteristics:
- A single CLI view can be shared within multiple superviews.
- Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
- Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview.
- Each superview has a password that is used to switch between superviews or from a CLI view to a superview.
- Deleting a superview does not delete the associated CLI views. The CLI iews remain available to be assigned to another superview.
Configure Role-Based Views
Step 1. Enable AAA with the aaa new-model global configuration mode command. Exit and enter the root view with the enable view command.
Router(config)# aaa new-model
Router(config)# exit
Router# enable [view [view-name]]Step 2. Create a view using the parser view view-name global configuration mode command. This enables the view configuration mode.
Router(config)# parser view view-nameStep 3. Assign a secret password to the view using the secret password view configuration mode command.
Router(config-view)# secret passwordStep 4. Assign commands to the selected view using the commands parser-mode command in view configuration mode.
Router(config-view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]Configure Role-Based CLI Superviews
The steps to configure a superview are essentially the same as configuring a CLI view, except that the view view-name command is used to assign commands to the superview.
Step 1. Create a view using the parser view view-name superview command and enter superview configuration mode.
Router(config)# parser view view-name superviewStep 2. Assign a secret password to the view using the secret password command. This sets a password to protect access to the superview.
Router(config-view)# secret passwordStep 3. Assign an existing view using the view view-name command in view configuration mode. This adds a CLI view to superview.
Router(config-view)# view view-nameStep 4. Exit superview configuration mode by typing the exit command.