Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Specifying Access Privileges Using allow/deny-configuration Statements

    You can specify extended regular expressions by using the allow-configuration and deny-configuration statements to define user access privileges to parts of the configuration hierarchy. Doing so overrides login class permission bits set for a user. You can also use wildcards to restrict access. When you define access privileges to parts of the configuration hierarchy, do the following:

    • Specify the full paths in the extended regular expressions with the allow-configuration and deny-configuration statements.
    • Use parentheses around an extended regular expression that connects two or more expressions with the pipe | symbol. For example:
      [edit system login class class-name]user@host# set deny-configuration "(system login class) | (system services)"

      Note: Each expression separated by a pipe (|) symbol must be a complete standalone expression, and must be enclosed in parentheses ( ). Do not use spaces between regular expressions separated with parentheses and connected with the pipe (|) symbol. You cannot define access to keywords such as set, edit, or activate.

    To explicitly allow an individual configuration mode hierarchy that would otherwise be denied, include the allow-configuration statement at the [edit system login class class-name] hierarchy level:

    [edit system login class class-name]allow-configuration "regular-expression";

    To explicitly deny an individual configuration hierarchy that would otherwise be allowed, include the deny-configuration statement at the [edit system login class class-name] hierarchy level:

    [edit system login class class-name]deny-configuration "regular-expression";

    You can include one deny-configuration and one allow-configuration statement in each login class.

    • Explicitly allowing configuration mode hierarchies or regular expressions using the allow-configuration statement adds to the regular permissions set using the permissions statement. Likewise, explicitly denying configuration mode hierarchies or regular expressions using the deny-configuration statement removes permissions for the specified configuration mode hierarchy, from the default permissions provided by the permissions statement.

      For example, if a login class has permissions configure and the allow-configuration statement includes the system services expression, the specified login class user can edit the configuration at the [edit system services] hierarchy level and issue configuration mode commands (such as commit), in addition to just entering the configuration mode using the configure command (the permissions specified by the configure permission flag). Likewise, if a login class has permissions all and the deny-configuration statement includes system services, the specified login class user can perform all operations allowed by the all permissions flag, except issuing configuration mode commands (such as commit) or modifying the configuration at the [edit system services] hierarchy level.

    • If you allow and deny the same set of configuration hierarchy levels, regular expressions, or commands, the allow-configuration statement permissions take precedence over the permissions specified by the deny-configuration statement. For example, if you include allow-configuration "system services"; and deny-configuration "system services";, the login class user can continue to edit the configuration or issue commands at the [edit system services] hierarchy level.
     

    Related Documentation

     

    Published: 2012-11-15

    Previous Page Next Page