Specifying Access Privileges for Junos OS Configuration Mode Hierarchies

The allow/deny-configuration and allow/deny-configuration-regexps statements let you explicitly allow or deny users access privileges to portions of the configuration hierarchy. Each of these statements is added to named login classes and configured with one or more regular expressions to be allowed or denied. Each login class is assigned to specific users or user IDs.

The search and match methods differ in the two forms of these statements. You must select which form to use within a login class—you cannot configure allow-configuration and allow-configuration-regexps together in the same login class. You must select just one. If you have existing configurations using the allow/deny-configuration form of the statements, using the same configuration options with the allow/deny-configuration-regexps form of the statements might not produce the same results.

• Allow/deny-configuration statements perform slower matching, with more flexibility, especially in wildcard matching. However, it can take a very long time to evaluate all of the possible statements if a great number of full path regular expressions or wildcard expressions are configured, possibly impacting performance. These statements were introduced before Junos OS Release 7.4.
• Allow/deny-configuration-regexps statements perform faster matching, with less flexibility. You configure a set of strings in which each string is a regular expression, with spaces between the terms of the string. This provides very fast matching. However, it is more tedious to use wildcard expressions in this form of the statement, because you must set up wildcards for each token (term) of the space-delimited string you want to match. These statements were introduced in Junos OS Release 11.2.