Deny or Allow Individual Commands

By default, each top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow commands that would otherwise be permitted or disallowed by a privilege level specified in the permissions statement.

To explicitly deny a command that would otherwise be permitted, include the deny-commands statement at the [edit system login class class-name] hierarchy level:

 [edit system login class class-name]
 deny-commands regular-expression; 
 

To explicitly allow additional commands that would otherwise be denied, include the allow-commands statement at the [edit system login class class-name] hierarchy level:

 [edit system login class class-name]
 allow-commands regular-expression; 
 

You can include one deny-commands and one allow-commands statement in each login class.

If the regular-expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Regular expressions are not case-sensitive.

You use extended regular expressions to specify which commands are denied or allowed. You specify these regular expressions in the allow-commands and deny-commands statements at the [edit system login class] hierarchy level or by specifying JUNOS-specific attributes in your RADIUS authentication server's configuration. If regular expressions are received during RADIUS authentication, they override any regular expressions configured on the local router.

Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 9 lists common regular expression operators.

Table 9: Common Regular Expression Operators

Operator	Match...
|	One of the two terms on either side of the pipe.
^	At the beginning of an expression, used to denote where the command begins, where there might be some ambiguity.
$	Character at the end of a command. Used to denote a command that must be matched exactly up to that point. For example, allow-commands "show interfaces $" means that the user cannot issue show interfaces detail or show interfaces extensive.
[ ]	Range of letters or digits. To separate the start and end of a range, use a hyphen ( - ).
( )	A group of commands, indicating an expression to be evaluated and the result is then evaluated as part of the overall expression.

 

If a regular expression contains a syntax error, user authentication fails, and the user cannot login. If a regular expression does not contain any operators, all varieties of the command are allowed. For example, if the following statement is included in the configuration, then the user can issue the commands show interfaces detail and show interfaces extensive in addition to showing an individual interface:

 allow-commands "show interfaces"

Example: Deny or Allow Individual Commands

Configure permissions for individual commands:

 [edit]
 system {
     login {
 /*
 * This login class has operator privileges and the additional ability to reboot the router.
 */
         class operator-and-boot {
             permissions [ clear network reset trace view ];
             allow-commands "request system reboot";
         }
 /*
 * This login class has operator privileges but can't use any commands beginning with "set".
 */
         class operator-no-set {
             permissions [ clear network reset trace view ];
             deny-commands "^set";
         }
 /*
 * This login class has operator privileges and can install software but not view bgp information.
 */
         class operator-and-install-but-no-bgp {
             permissions [ clear network reset trace view ];
             allow-commands "request system software add";
             deny-commands "show bgp";
         }
     }
 }