Exam 350-601 topic 1 question 194 discussion

I choose C because as per documentation the default-role cannot be changed or deled.

I think we can make changes in the default-role and not in the system generated roles like network-admin, network-operator and server admin. The default-role applies to all users so even if the deny access in san-users role the user will still get the access. Hence option A looks to be the right one. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/8_x/config/security/cisco_mds9000_security_config_guide_8x/configuring_users_and_common_roles.html

We should assign to the user only one role SAN-Users and then answer D is the best. We are missing there only one rule "rule 6 permit show feature SNMP". Because we did not add rule "rule x permit show feature environment" and there is no other role for mentioned users in cofiguration, SAN User will not be able to execute "show environment" command.

C is correct, the default role cannot be changed or deleted.

C is correct!

I think it's A because you can't deny what's already allowed on the default role. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_01000.pdf&ved=2ahUKEwjI3KD-6KD5AhWll1YBHXQpC9AQFnoECA4QAQ&usg=AOvVaw0LMfWmT-hIZrUAFuMORswG If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a commandtakes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has access to the configuration commands. In this case, the user has access to the configuration commands.