Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?





Hierarchy Level

Release Information

Statement introduced in Junos OS Release 18.1.


Configure authorizations for operational mode commands using regular expressions. You can use the allow-commands-regexps statement to explicitly allow authorization for commands that would otherwise be denied by an access privilege level.

For allow/deny-commands-regexps statements, you configure a set of strings in which each string is a regular expression, enclosed in double quotes and separated with a space operator. Each string is evaluated against the full path of the command, which provides faster matching than the allow/deny-command statements. You can also include values for variables in the regular expressions, which is not supported using allow/deny-commands.

The statement deny-commands-regexps takes precedence if it is used in the same login class definition.


The allow/deny-commands and allow/deny-commands-regexps statements are mutually exclusive and cannot be configured together for a login class. At a given point in time, a login class can include either the allow/deny-commands statement, or the allow/deny-commands-regexps statement. If you have existing configurations using the allow/deny-commands statements, using the same configuration options with the allow/deny-commands-regexps statements might not produce the same results, as the search and match methods differ in the two forms of these statements.

Authorizations can also be configured remotely by specifying Juniper Networks vendor-specific TACACS+ attributes in your authentication server's configuration. For a remote user, when the authorization parameters are configured both remotely and locally, authorization parameters configured remotely and locally are both considered together for authorization. For a local user, only the authorization parameters configured locally for the class are considered.


If you do not configure authorizations for operational mode commands using allow/deny-commands or allow/deny-commands-regexps, users can edit only those commands for which they have access privileges set with the permissions statement.


regular expression—Extended (modern) regular expression as defined in POSIX 1003.2. If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Enter as many expressions as needed.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.