I have a command set for some technicians that we grant fewer commands to, and am trying to limit specific commands, but it is not working as expected for some of them. Note that I am testing this with a user in the correct identity group that is given the correct command set and shell profile.
Example: We do not want them making changes to port-channels, so I have Deny | int* | po.* and it is the first rule in the command set. An account assigned to that profile is still able to issue the command:
switch (config) # int port-channel 1
I have also tried Deny | int* | port-channel * with the same result.
Example 2: We do not want them assigning a port-security maximum of more than 2, so I have
Allow | sw* | po.* m.* [1-3] as a rule, and directly under it Deny | sw* | po.* m.*
I have also tried Deny | sw* | po.* m.* and Deny | sw* | port-security maximum *
as the very first rule in the command set, and the account can still issue the command:
switch (config-if) # switchport port-security maximum 8
in any of those 3 scenarios.