CLI Guide

Table Of Contents
Security Commands 980
Administrative Profiles Commands
Dell EMC Networking N1100-ON/N1500/N2000/N2100-ON/N2200-
ON/N3000-ON/N3100-ON Series Switches
The administrative profiles capability provides the network administrator
control over which commands a user (switch administrator) is allowed to
execute. The administrator is able to group commands into a “profile” and
assign a profile to a user upon authentication. This provides more granularity
than simply allowing read-only and read-write users. It may be, for example,
that a particular user is only allowed to manage the Captive Portal feature but
not allowed to manage any other of the switch features.
This capability is similar to the industry standard “User Roles” feature. The
main difference is that the Administrative Profile is obtained via
authentication rather than via authorization. This was necessary because Dell
EMC Networking does not support AAA authorization of users.
Functionally, the Administrative Profiles feature allows the network
administrator to define a list of rules which control the commands which may
be executed by a user. These rules are collected in a “profile.” A rule defines a
set of commands to which a user is permitted or denied access. Alternatively,
a rule may define a CLI command mode to which the user is permitted or
denied access. The rule numbers determine the order in which the rules are
applied: Rules are applied in descending numerical order until there is a
match. Rules may use regular expressions for command matching. All profiles
have an implicit “deny all” rule such that any command which does not
match any rules in the profile is considered to have been denied by that
profile.
It is possible to assign a user more than one profile. If there are conflicting
rules in profiles, the “permit” rule always takes precedence over the “deny”
rule, i.e., if any profile assigned to a user permits a command, then the user is
permitted access to that command. A user may be assigned up to 16 profiles.
A number of profiles are provided by default. These profiles may not be
altered by the switch administrator.
If the successful authentication method does not provide an Administrative
Profile for a user, then the user is permitted access based upon the user’s
privilege level (as in previous releases). This means that if a user successfully