JUNOS Software Access Privilege Levels Overview

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Each top-level command-line interface (CLI) command and each configuration statement have an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. The access privileges for each login class are defined by one or more permission flags.

For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement.

The following sections provide additional information:

JUNOS Software Login Class Permission Flags

The permissions statement specifies one or more of the permission flags listed in Table 7. Permission flags are not cumulative, so for each class you must list all the permission flags needed, including view to display information and configure to enter configuration mode. Two forms for the permissions control the individual parts of the configuration:

“Plain” form—Provides read-only capability for that permission type. An example is interface.
Form that ends in -control—Provides read and write capability for that permission type. An example is interface-control.

Table 7 lists the JUNOS Software login class permission flags that you can configure by including the permissions statement at the [edit system login class class-name] hierarchy level:

Table 7: Login Class Permission Flags

Permission Flag	Description
access	Can view the access configuration in configuration mode using the show configuration operational mode command.
access-control	Can view and configure access information at the [edit access] hierarchy level.
admin	Can view user account information in configuration mode and with the show configuration command.
admin-control	Can view user accounts and configure them at the [edit system login] hierarchy level.
all	Has all permissions.
clear	Can clear (delete) information learned from the network that is stored in various network databases using the clear commands.
configure	Can enter configuration mode using the configure command.
control	Can perform all control-level operations—all operations configured with the -control permission flags.
field	Reserved for field (debugging) support.
firewall	Can view the firewall filter configuration in configuration mode.
firewall-control	Can view and configure firewall filter information at the [edit firewall] hierarchy level.
floppy	Can read from and write to the removable media.
flow-tap	Can view the flow-tap configuration in configuration mode.
flow-tap control	Can view the flow-tap configuration in configuration mode and can configure flow-tap configuration information at the [edit services flow-tap] hierarchy level.
flow-tap-operation	Can make flow-tap requests to the router. For example, a Dynamic Tasking Control Protocol (DTCP) client must authenticate itself to JUNOS as an administrative user. That account must have flow-tap-operation permission. Note: flow-tap operation is not included in the all permission.
interface	Can view the interface configuration in configuration mode and with the show configuration operational mode command.
interface-control	Can view the interface configuration in configuration mode and with the show configuration operational mode command.
maintenance	Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell using the su root command, and can halt and reboot the router using the request system commands.
network	Can access the network by entering the ping, SSH, telnet, and traceroute commands.
reset	Can restart software processes using the restart command and can configure whether software processes are enabled or disabled at the [edit system processes] hierarchy level.
rollback	Can use the rollback command to return to a previously committed configuration other than the most recently committed one.
routing	Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes.
routing-control	Can view general routing, routing protocol, and routing policy configuration information and configure general routing at the [edit routing-options] hierarchy level, routing protocols at the [edit protocols] hierarchy level, and routing policy at the [edit policy-options] hierarchy level.
secret	Can view passwords and other authentication keys in the configuration.
secret-control	Can view passwords and other authentication keys in the configuration and can modify them in configuration mode.
security	Can view security configuration in configuration mode and with the show configuration operational mode command.
security-control	Can view and configure security information at the [edit security] hierarchy level.
shell	Can start a local shell on the router by entering the start shell command.
snmp	Can view Simple Network Management Protocol (SNMP) configuration information in configuration and operational modes.
snmp-control	Can view SNMP configuration information and modify SNMP configuration at the [edit snmp] hierarchy level.
system	Can view system-level information in configuration and operational modes.
system-control	Can view system-level configuration information and configure it at the [edit system] hierarchy level.
trace	Can view trace file settings in configuration and operational modes.
trace-control	Can view trace file settings and configure trace file properties.
view	Can use various commands to display current systemwide, routing table, and protocol-specific values and statistics. Cannot view secret configuration.

Allowing or Denying Individual Commands for JUNOS Software Login Classes

By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement.

Note: The all login class permission bits take precedence over extended regular expressions when a user with rollback permission issues the rollback command.

Expressions used to allow and deny commands for users on RADIUS/TACACS+ servers have been simplified. Instead of a single, long expression with multiple commands (allow-commands=cmd1 cmd2 cmdn) you can specify each command as a separate expression. This new syntax is valid for allow-configuration and deny-configuration, allow-command and deny-command, and user-permissions.

Users cannot issue the load override command when specifying an extended regular expression. Users can only issue the merge, replace, and patch configuration commands.