Understanding Junos OS Access Privilege Levels

 

Each top-level CLI command and each configuration statement have an access privilege level associated with them. Users can execute only those commands and configure and view only those statements for which they have access privileges. The access privileges for each login class are defined by one or more permission flags.

For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement.

The following sections provide additional information about permissions:

Junos OS Login Class Permission Flags

Permission flags are used to grant a user access to operational mode commands and configuration hierarchy levels and statements. By specifying a specific permission flag on the user's login class at the [edit system login class] hierarchy level, you grant the user access to the corresponding commands and configuration hierarchy levels and statements. To grant access to all commands and configuration statements, use the all permissions flag.

Note

Each command listed represents that command and all subcommands with that command as a prefix. Each configuration statement listed represents the top of the configuration hierarchy to which that flag grants access.

The permissions statement specifies one or more of the permission flags listed in Table 1. Permission flags are not cumulative, so for each class you must list all the permission flags needed, including view to display information and configure to enter configuration mode. Two forms of permissions control for individual parts of the configuration are:

  • "Plain” form—Provides read-only capability for that permission type. An example is interface.

  • Form that ends in -control—Provides read and write capability for that permission type. An example is interface-control.

For permission flags that grant access to configuration hierarchy levels and statements, the flags grant read-only privilege to that configuration. For example, the interface permissions flag grants read-only access to the [edit interfaces] hierarchy level. The -control form of the flag grants read-write access to that configuration. Using the preceding example, interface-control grants read-write access to the [edit interfaces] hierarchy level.

Table 1 lists the Junos OS login class permission flags that you can configure by including the permissions statement at the [edit system login class class-name] hierarchy level.

The permission flags grant a specific set of access privileges. Each permission flag is listed with the operational mode commands and configuration hierarchy levels and statements for which that flag grants access.

Table 1: Login Class Permission Flags

Permission Flag

Description

access

Can view the access configuration in configuration mode and with the show configuration operational mode command.

access-control

Can view and configure access information at the [edit access] hierarchy level.

admin

Can view user account information in configuration mode and with the show configuration operational mode command.

admin-control

Can view user account information and configure it at the [edit system] hierarchy level.

all-control

Can view user accounts and configure them at the [edit system login] hierarchy level.

all

Can access all operational mode commands and configuration mode commands. Can modify configuration in all the configuration hierarchy levels.

clear

Can clear (delete) information learned from the network that is stored in various network databases by using the clear commands.

configure

Can enter configuration mode by using the configure command.

control

Can perform all control-level operations—all operations configured with the -control permission flags.

field

Can view field debug commands. Reserved for debugging support.

firewall

Can view the firewall filter configuration in configuration mode.

firewall-control

Can view and configure firewall filter information at the [edit firewall] hierarchy level.

floppy

Can read from and write to the removable media.

flow-tap

Can view the flow-tap configuration in configuration mode.

flow-tap-control

Can view the flow-tap configuration in configuration mode and can configure flow-tap configuration information at the [edit services flow-tap] hierarchy level.

flow-tap-operation

Can make flow-tap requests to the router or switch. For example, a Dynamic Tasking Control Protocol (DTCP) client must have flow-tap-operation permission to authenticate itself to the Junos OS as an administrative user.

Note: The flow-tap-operation option is not included in the all-control permissions flag.

idp-profiler-operation

Can view profiler data.

interface

Can view the interface configuration in configuration mode and with the show configuration operational mode command.

interface-control

Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information. Can edit configuration at the following hierarchy levels:

  • [edit chassis]

  • [edit class-of-service]

  • [edit groups]

  • [edit forwarding-options]

  • [edit interfaces]

maintenance

Can perform system maintenance, including starting a local shell on the router or switch and becoming the superuser in the shell by using the su root command, and can halt and reboot the router or switch by using the request system commands.

network

Can access the network by using the ping, ssh, telnet, and traceroute commands.

pgcp-session-mirroring

Can view the pgcp session mirroring configuration.

pgcp-session-mirroring-control

Can modify the pgcp session mirroring configuration.

reset

Can restart software processes by using the restart command and can configure whether software processes are enabled or disabled at the [edit system processes] hierarchy level.

rollback

Can use the rollback command to return to a previously committed configuration other than the most recently committed one.

routing

Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes.

routing-control

Can view general routing, routing protocol, and routing policy configuration information and can configure general routing at the [edit routing-options] hierarchy level, routing protocols at the [edit protocols] hierarchy level, and routing policy at the [edit policy-options] hierarchy level.

secret

Can view passwords and other authentication keys in the configuration.

secret-control

Can view passwords and other authentication keys in the configuration and can modify them in configuration mode.

security

Can view security configuration in configuration mode and with the show configuration operational mode command.

security-control

Can view and configure security information at the [edit security] hierarchy level.

shell

Can start a local shell on the router or switch by using the start shell command.

snmp

Can view Simple Network Management Protocol (SNMP) configuration information in configuration and operational modes.

snmp-control

Can view SNMP configuration information and can modify SNMP configuration at the [edit snmp] hierarchy level.

system

Can view system-level information in configuration and operational modes.

system-control

Can view system-level configuration information and configure it at the [edit system] hierarchy level.

trace

Can view trace file settings and configure trace file properties.

trace-control

Can modify trace file settings and configure trace file properties.

view

Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration.

view-configuration

Can view all of the configuration excluding secrets, system scripts, and event options.

Note: Only users with the maintenance permission can view commit script, op script, or event script configuration.

Allowing or Denying Individual Commands for Junos OS Login Classes

By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement.

Permission flags are used to grant a user access to operational mode commands and configuration hierarchy levels and statements. By specifying a specific permission flag on the user's login class at the [edit system login class] hierarchy level, you grant the user access to the corresponding commands and configuration hierarchy levels and statements. To grant access to all commands and configuration statements, use the all permissions flag. For permission flags that grant access to configuration hierarchy levels and statements, the flags grant read-only privilege to that configuration. For example, the interface permissions flag grants read-only access to the [edit interfaces] hierarchy level. The -control form of the flag grants read-write access to that configuration. Using the preceding example, interface-control grants read-write access to the [edit interfaces] hierarchy level.

  • The all login class permission bits take precedence over extended regular expressions when a user issues rollback command with rollback permission flag enabled.

  • Expressions used to allow and deny commands for users on RADIUS and TACACS+ servers have been simplified. Instead of a single, long expression with multiple commands (allow-commands=cmd1 cmd2 ... cmdn), you can specify each command as a separate expression. This new syntax is valid for allow-configuration, deny-configuration, allow-commands, deny-commands, and all user permission bits.

  • Users cannot issue the load override command when specifying an extended regular expression. Users can only issue the merge, replace, and patch configuration commands.

  • If you allow and deny the same commands, the allow-commands permissions take precedence over the permissions specified by the deny-commands. For example, if you include allow-commands "request system software add" and deny-commands "request system software add", the login class user is allowed to install software using the request system software add command.

  • Regular expressions for allow-commands and deny-commands can also include the commit, load, rollback, save, status, and update commands.

  • If you specify a regular expression for allow-commands and deny-commands with two different variants of a command, the longest match is always executed.

    For example, if you specify a regular expression for allow-commands with the commit-synchronize command and a regular expression for deny-commands with the commit command, users assigned to such a login class would be able to issue the commit synchronize command, but not the commit command. This is because commit-synchronize is the longest match between commit and commit-synchronize and it is specified for allow-commands.

    Likewise, if you specify a regular expression for allow-commands with the commit command and a regular expression for deny-commands with the commit-synchronize command, users assigned to such a login class would be able to issue the commit command, but not the commit-synchronize command. This is because commit-synchronize is the longest match between commit and commit-synchronize and it is specified for deny-commands.