To explain further, the Administrative Profile feature allows the network administrator to define a list of rules that control the CLI commands available to a user. These rules are collected in a "profile." The rules in a profile can define the set of commands, or a command mode, to which a user is permitted or denied access.

Within a profile, rule numbers determine the order in which the rules are applied. When a user enters a CLI command, rules within the first profile assigned to the user are applied in descending order until there is a rule that matches the input. If no rule permitting the command is found, then the other profiles assigned to the user (if any) are searched for rules permitting the command. Rules may use regular expressions for command matching. All profiles have an implicit "deny all" rule, such that any command that does not match any rule in the profile is considered to have been denied by that profile (See Example 1).

A user can be assigned to more than one profile. If there are conflicting rules in profiles, the "permit" rule always takes precedence over the "deny" rule. That is, if any profile assigned to a user permits a command, then the user is permitted access to that command. A user may be assigned up to 16 profiles. A number of profiles are provided by default. These profiles cannot be altered by the switch administrator.

If the successful authorization method does not provide an administrative profile for a user, then the user is permitted access based upon the user's privilege level. This means that, if a user successfully passes enable authentication or if exec authorization assigns a privilege level, the user is permitted access to all commands. This is also true if none of the administrative profiles provided are configured on the switch. If some, but not all, of the profiles provided in the authentication are configured on the switch, then the user is assigned the profiles that exist, and a message is logged that indicates which profiles could not be assigned.