 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
You can change privilege group accessibility. Privilege groups are no longer required to be hierarchical. You can modify the privilege group membership and define which privilege group is a member of another privilege group.
A privilege group can contain commands and other privilege groups as members. A group always has access to commands in its own privilege group and in privilege group 0. By default, all groups have one member and a specific privilege group has access to all commands in all privilege groups with a lower number than the specific group.
A privilege group is reachable from another privilege group when it is a member of that privilege group, or a member of a group that is a member of that privilege group until a search of all member groups is exhausted. This can go through several recursions as long as there are no circular dependencies.
Privilege group 0 is not a member of any group and you cannot assign member groups to it, but it is reachable from every privilege group.
Numbers in the range 0—15 identify the 16 privilege groups. Each of the 16 groups can have a name or an alias. The default internal name is the privilege group number. By default, the groups are hierarchical and each group, with the exception of groups 1 and 0, contains one group. When a group contains a group, the contained group is a member of the original group: privilege group p has one member, privilege group p-1. For example, privilege group 15 has member 14, privilege group 14 has member 13, and privilege group 2 has member 1.
For hierarchical groups, groups 0 through 14 are reachable from privilege group 15, groups 0 through 13 are reachable from privilege group 14, groups 0 to 4 are reachable from 5, and so forth. Hierarchical groups can also contain other privilege groups. For example, group A is reachable from group B if group A is a member of group B or is a member of a group that is a member of group B. If group X has member Y and Y has member Z then Z is reachable from X.
You cannot configure circular dependencies. For example, you cannot configure a circular dependency where group X has member Y, Y has member Z, Z has member P, and X can reach Z and P. Group X cannot have member Z or P because Z and P are reachable through Y.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |