Operational Mode Commands
You can specify extended regular expressions with the allow-commands and deny-commands attributes to define a user's access privileges to individual operational commands. Doing so takes precedence over login class permission bits set for a user. You can include one deny-commands and one allow-commands statement in each login class.
To explicitly allow an individual operational mode command that would otherwise be denied, include the allow-commands statement at the [edit system login class class-name] hierarchy level:
[edit system login class class-name]
allow-commands "regular-expression";
To explicitly deny an individual operational mode command that would otherwise be allowed, include the deny-commands statement at the [edit system login class class-name] hierarchy level:
[edit system login class class-name]
deny-commands "regular-expression" ;
If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Regular expressions are not case-sensitive.
Use extended regular expressions to specify which operational mode commands are denied or allowed. You specify these regular expressions in the allow-commands and deny-commands statements at the [edit system login class] hierarchy level, or by specifying JUNOS-specific attributes in your TACACS+ or RADIUS authentication server's configuration. You must specify that these regular expressions are sent as the value of Juniper vendor-specify attributes. If regular expressions are received during TACACS+ or RADIUS authentication, they override any regular expressions configured on the local router. For information about TACACS+ or RADIUS authentication, see Configure User Access.
Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 13 lists common regular expression operators.
If a regular expression contains a syntax error, authentication fails and the user cannot log in. If a regular expression does not contain any operators, all varieties of the command are allowed. For example, if the following statement is included in the configuration, the user can issue the commands show interfaces detail and show interfaces extensive in addition to showing an individual interface:
allow-commands "show interfaces"
Example 1: Define Access Privileges to Individual Operational Mode Commands
The following examples define user access privileges to individual operational mode commands.
If the following statement is included in the configuration and the user does not have the configure login class permission bit, the user can enter configuration mode
[edit system login class class-name]
user@host# set allow-commands configure
If the following statement is included in the configuration and the user does not have the configure login class permission bit, the user can enter configuration exclusive mode.
[edit system login class class-name]
user@host#setallow-commands "configure exclusive"
 |
You cannot use runtime variables. In the following example the runtime variable 1.2.3.4 cannot be used. [edit system login class user@host |
Example 2: Define Access Privileges to Individual Operational Mode Commands
Configure permissions for individual operational mode commands:
[edit]
system {
login {
/*
* This login class has operator privileges and the additional ability to reboot the router.
*/
class operator-and-boot {
permissions [ clear network reset trace view ];
allow-commands "request system reboot";
}
/*
* This login class has operator privileges but can't use any commands beginning with "set".
*/
class operator-no-set {
permissions [ clear network reset trace view ];
deny-commands "^set";
}
/*
* This login class has operator privileges and can install software but not view bgp information.
*/
class operator-and-install-but-no-bgp {
permissions [ clear network reset trace view ];
allow-commands "request system software add";
deny-commands "show bgp";
}
}
}