Configure Access Privilege Levels

Each top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. The privilege level for each command and statement is listed in the summary chapter of the part in which that command or statement is described. The access privileges for each login class are defined by one or more permission bits.

To configure access privilege levels, include the permissions statement at the [edit system login class] hierarchy level:

 [edit system login class]
 permissions [ permissions ];

In permissions, specify one or more of the permission bits listed in Table 7. Permission bits are not cumulative, so for each class list all the bits needed, including view to display information and configure to enter configuration mode. For the permissions that control the individual parts of the configuration, there are two forms of the permission:

"Plain" form—Provides read-only capability for that permission type. An example is interface.
Form that ends in -control—Provides read and write capability for that permission type. An example is interface-control.

Table 7: Login Class Permission Bits

Permission Bit

Description

`admin`

Can view user account information in configuration mode and with the `show configuration` command.

`admin-control`

Can view user accounts and configure them (at the `[edit system login]` hierarchy level).

`all`

Has all permissions.

`clear`

Can clear (delete) information learned from the network that is stored in various network databases (using the `clear` commands).

`configure`

Can enter configuration mode (using the `configure` command) and commit configurations (using the `commit` command).

`control`

Can perform all control-level operations (all operations configured with the `-control` permission bits).

`edit`

Can edit all portions of a configuration, can load a configuration from an ASCII file, and can commit new and modified configurations (using all the commands in configuration mode).

`field`

Reserved for field (debugging) support.

`firewall`

Can view the firewall filter configuration in configuration mode.

`firewall-control`

Can view and configure firewall filter information (at the `[edit firewall]` hierarchy level).

`floppy`

Can read from and write to the removable media.

`interface`

Can view the interface configuration in configuration mode and with the `show configuration` operational mode command.

`interface-control`

Can view interface configuration information and configure interfaces (at the `[edit interfaces`] hierarchy level).

`maintenance`

Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell (by issuing the `su root` command), and can halt and reboot the router (using the `request system` commands).

`network`

Can access the network by entering the `ping`, `ssh`, `telnet`, and `traceroute` commands.

`reset`

Can restart software processes using the `restart` command and can configure whether software processes are enabled or disabled (at the `[edit system processes]` hierarchy level).

`rollback`

Can use the `rollback` command to return to a previously committed configuration other than the most recently committed one.

`routing`

Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes.

`routing-control`

Can view general routing, routing protocol, and routing policy configuration information and configure general routing (at the `[edit routing-options]` hierarchy level), routing protocols (at the `[edit protocols`] hierarchy level), and routing policy (at the `[edit policy-options]` hierarchy level).

`secret`

Can view passwords and other authentication keys in the configuration.

`secret-control`

Can view passwords and other authentication keys in the configuration and can modify them in configuration mode.

`shell`

Can start a local shell on the router by entering the `start shell` command.

`snmp`

Can view SNMP configuration information in configuration and operational modes.

`snmp-control`

Can view SNMP configuration information and configure SNMP (at the `[edit snmp`] hierarchy level).

`system`

Can view system-level information in configuration and operational modes.

`system-control`

Can view system-level configuration information and configure it (at the `[edit system`] hierarchy level).

`trace`

Can view trace file settings in configuration and operational modes.

`trace-control`

Can view trace file settings and configure trace file properties.

`view`

Can use various commands to display current systemwide, routing table, and protocol-specific values and statistics.

Permission Bit	Description
`admin`	Can view user account information in configuration mode and with the `show configuration` command.
`admin-control`	Can view user accounts and configure them (at the `[edit system login]` hierarchy level).
`all`	Has all permissions.
`clear`	Can clear (delete) information learned from the network that is stored in various network databases (using the `clear` commands).
`configure`	Can enter configuration mode (using the `configure` command) and commit configurations (using the `commit` command).
`control`	Can perform all control-level operations (all operations configured with the `-control` permission bits).
`edit`	Can edit all portions of a configuration, can load a configuration from an ASCII file, and can commit new and modified configurations (using all the commands in configuration mode).
`field`	Reserved for field (debugging) support.
`firewall`	Can view the firewall filter configuration in configuration mode.
`firewall-control`	Can view and configure firewall filter information (at the `[edit firewall]` hierarchy level).
`floppy`	Can read from and write to the removable media.
`interface`	Can view the interface configuration in configuration mode and with the `show configuration` operational mode command.
`interface-control`	Can view interface configuration information and configure interfaces (at the `[edit interfaces`] hierarchy level).
`maintenance`	Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell (by issuing the `su root` command), and can halt and reboot the router (using the `request system` commands).
`network`	Can access the network by entering the `ping`, `ssh`, `telnet`, and `traceroute` commands.
`reset`	Can restart software processes using the `restart` command and can configure whether software processes are enabled or disabled (at the `[edit system processes]` hierarchy level).
`rollback`	Can use the `rollback` command to return to a previously committed configuration other than the most recently committed one.
`routing`	Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes.
`routing-control`	Can view general routing, routing protocol, and routing policy configuration information and configure general routing (at the `[edit routing-options]` hierarchy level), routing protocols (at the `[edit protocols`] hierarchy level), and routing policy (at the `[edit policy-options]` hierarchy level).
`secret`	Can view passwords and other authentication keys in the configuration.
`secret-control`	Can view passwords and other authentication keys in the configuration and can modify them in configuration mode.
`shell`	Can start a local shell on the router by entering the `start shell` command.
`snmp`	Can view SNMP configuration information in configuration and operational modes.
`snmp-control`	Can view SNMP configuration information and configure SNMP (at the `[edit snmp`] hierarchy level).
`system`	Can view system-level information in configuration and operational modes.
`system-control`	Can view system-level configuration information and configure it (at the `[edit system`] hierarchy level).
`trace`	Can view trace file settings in configuration and operational modes.
`trace-control`	Can view trace file settings and configure trace file properties.
`view`	Can use various commands to display current systemwide, routing table, and protocol-specific values and statistics.

Table 8: Default System Login Classes

Login Class

Permission Bits Set

`operator`

`clear`, `network`, `reset`, `trace`, `view`

`read-only`

`view`

`superuser`

`all`

`unauthorized`

None

Login Class	Permission Bits Set
`operator`	`clear`, `network`, `reset`, `trace`, `view`
`read-only`	`view`
`superuser`	`all`
`unauthorized`	None

Example: Configure Access Privilege Levels

Create two access privilege classes on the router, one for configuring and viewing user accounts only and the second for configuring and viewing SNMP parameters only:

 [edit]
 system {
     login {
         class user-accounts { 
             permissions [ configure admin admin-control ]; 
         }
         class network-mgmt {
             permissions [ configure snmp snmp-control ];
         }
     }
 }

[Contents] [Prev] [Next] [Index]