Deny or Allow Individual Commands

By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement. For information about CLI commands, see Command-Line Interface Overview.

The all login class permission bits take precedence over extended regular expressions when a user issues the rollback command. Users cannot issue the load override command when specifying an extended regular expression. Users can only issue the merge, replace, and patch configuration commands.

This section describes how to define a user's access privileges to individual operational and configuration mode commands. It contains the following topics:

• Operational Mode Commands
• Configuration Mode Commands