allow-commands-regexps

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 18.1.

Description

Configure authorizations for operational mode commands using regular expressions. You can use the allow-commands-regexps statement to explicitly allow authorization for commands that would otherwise be denied by an access privilege level.

For allow/deny-commands-regexps statements, you configure a set of strings in which each string is a regular expression, enclosed in double quotes and separated with a space operator. Each string is evaluated against the full path of the command, which provides faster matching than the allow/deny-command statements. You can also include values for variables in the regular expressions, which is not supported using allow/deny-commands.

The statement deny-commands-regexps takes precedence if it is used in the same login class definition.

Authorizations can also be configured remotely by specifying Juniper Networks vendor-specific TACACS+ attributes in your authentication server's configuration. For a remote user, when the authorization parameters are configured both remotely and locally, authorization parameters configured remotely and locally are both considered together for authorization. For a local user, only the authorization parameters configured locally for the class are considered.

Default

If you do not configure authorizations for operational mode commands using allow/deny-commands or allow/deny-commands-regexps, users can edit only those commands for which they have access privileges set with the permissions statement.

Options

regular expression—Extended (modern) regular expression as defined in POSIX 1003.2. If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Enter as many expressions as needed.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.