Specifying Access Privileges for Junos OS Configuration Mode Hierarchies

You can specify extended regular expressions with the allow-configuration and deny-configuration attributes to define user access privileges to parts of the configuration hierarchy. Doing so overrides login class permission bits set for a user. You can also use wildcards to restrict access. When you define access privileges to parts of the configuration hierarchy, do the following:

• Specify the full paths in the extended regular expressions with the allow-configuration and deny-configuration attributes.
• Enclose parentheses around an extended regular expression that connects two or more expressions with the pipe | symbol. For example:
  [edit system login class class-name]user@host# set deny-configuration "(system login class) | (system services)"

  Note: Each expression separated by a pipe (|) symbol must be a complete standalone expression, and must be enclosed in parentheses ( ). Do not use spaces between regular expressions separated with parentheses and connected with the pipe (|) symbol. You cannot define access to keywords such as set, edit, or activate.

To explicitly allow an individual configuration mode hierarchy that would otherwise be denied, include the allow-configuration statement at the [edit system login class class-name] hierarchy level:

To explicitly deny an individual configuration hierarchy that would otherwise be allowed, include the deny-configuration statement at the [edit system login class class-name] hierarchy level:

You can include one deny-configuration and one allow-configuration statement in each login class.

Explicitly allowing configuration mode hierarchies or regular expressions using the allow-configuration statement adds to the regular permissions set using the permissions statement. Likewise, explicitly denying configuration mode hierarchies or regular expressions using the deny-configuration statement removes permissions for the specified configuration mode hierarchy, from the default permissions provided by the permissions statement. For example, if a login class has permissions configure and the allow-configuration statement includes the system services expression, the specified login class user can edit configuration at the [edit system services] hierarchy level and issue configuration mode commands (such as commit), in addition to just entering the configuration mode using the configure command (the permissions specified by theconfigure permission flag). Likewise, if a login class has permissions all and the deny-configuration statement includes system services, the specified login class user can perform all operations allowed by the all permissions flag, except issuing configuration mode commands (such as commit) or modifying configuration at the [edit system services] hierarchy level. If you allow and deny the same set of configuration hierarchy levels, regular expressions, or commands, the allow-configuration statement permissions take precedence over the permissions specified by the deny-configuration statement. For example, if you include allow-configuration “system services”; and deny-configuration “system services”;, the login class user can continue to edit configuration or issue commands at the edit system services hierarchy level.