Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Defining Operational Mode Commands to Allow in an Op Script

 

Operation (op) scripts automate operational mode tasks and network troubleshooting on devices running Junos OS. Op scripts can execute operational mode commands within the script. By default, when a user executes a script, the system does not permit the user to execute operational mode commands within a script for which their login class does not normally have permission to execute. Starting in Junos OS Release 14.2, you can configure operational mode commands that a particular op script is allowed to execute. The permission to execute operational mode commands within a script applies to all users, and the commands that you specify are executed, even if the user who executes the script does not have permissions to execute the operational mode commands.

Note

Execution of configuration mode commands is not supported by this feature.

Note

The allow-commands statement is only supported for op scripts that are local to the device. Remote op scripts that are executed using the op url command do not support executing unauthorized operational mode commands even when you configure the allow-commands statement.

In the following example, the sam.slax script contains this code:

The op script sam.slax uses the set date operational mode command, which is not permitted for user user1, who has view permissions.

To configure the sam.slax op script to execute the set date operational mode command (must be a user in the Junos OS super-user login class):

User user1 can now successfully execute the op script.

To define the operational mode commands to allow in an op script:

  1. Navigate to the op script where you want to allow operational mode commands.

    Note

    Only users who belong to the Junos OS super-user login class can configure op scripts.

  2. Define the operational mode commands to allow.

  3. Commit the configuration.