CLI Command Privileges

You can change the privilege level of most commands by using the privilege command that is available in Global Configuration mode. To use this command, you must enable your CLI session to privilege level 15.

CLI Privilege Groups

You can change privilege group accessibility. Privilege groups are no longer required to be hierarchical. You can modify the privilege group membership and define which privilege group is a member of another privilege group.

A privilege group can contain commands and other privilege groups as members. A group always has access to commands in its own privilege group and in privilege group 0. By default, all groups have one member and a specific privilege group has access to all commands in all privilege groups with a lower number than the specific group.

A privilege group is reachable from another privilege group when it is a member of that privilege group, or a member of a group that is a member of that privilege group until a search of all member groups is exhausted. This can go through several recursions as long as there are no circular dependencies.

Privilege group 0 is not a member of any group and you cannot assign member groups to it, but it is reachable from every privilege group.

Numbers in the range 0—15 identify the 16 privilege groups. Each of the 16 groups can have a name or an alias. The default internal name is the privilege group number. By default, the groups are hierarchical and each group, with the exception of groups 1 and 0, contains one group. When a group contains a group, the contained group is a member of the original group: privilege group p has one member, privilege group p-1. For example, privilege group 15 has member 14, privilege group 14 has member 13, and privilege group 2 has member 1.

For hierarchical groups, groups 0 through 14 are reachable from privilege group 15, groups 0 through 13 are reachable from privilege group 14, groups 0 to 4 are reachable from 5, and so forth. Hierarchical groups can also contain other privilege groups. For example, group A is reachable from group B if group A is a member of group B or is a member of a group that is a member of group B. If group X has member Y and Y has member Z then Z is reachable from X.

You cannot configure circular dependencies. For example, you cannot configure a circular dependency where group X has member Y, Y has member Z, Z has member P, and X can reach Z and P. Group X cannot have member Z or P because Z and P are reachable through Y.

Examples Using Privilege Group Membership

In each of the following examples, privilege groups are at the default setting, where privilege group 0 is reachable from every privilege group, 15 contains 14, 14 contains 13, 13 contains 12, and so forth. The commands in each example change the privilege group settings from the default.

Example 1

In Example 1:

• Privilege group 11 does not contain any privilege groups
• Privilege group 15 contains group 10. Therefore, privilege group 10 and all groups contained or reachable from privilege group 10 are now reachable from privilege group 15.
• Because privilege group 15 already contains privilege group 14, all groups with the exception of privilege group 11 are reachable from privilege group 15.
• A command that is in privilege group 11 can only be executed by a user at privilege 11. A user at any other privilege does not have access to privilege group 11 commands.

Example 2

In Example 2:

• Privilege group 14 does not contain any privilege groups.
• Privilege group 15 contains two groups: 14 and 10. The privilege groups 0, 1, 2, 4, 5, 6, 7, 8, 9, 10, and 14 are reachable from privilege group 15.
• A user at privilege 15 does not have access to commands in privilege groups 11, 12, or 13.

Example 3

In Example 3:

• Commands are executed in the following sequence: 15 contains 14, 14 contains 13, 13 contains 12, and so forth,
• Privilege group 13 contains one privilege group: privilege group 10.
• The privilege groups 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10 are reachable from privilege group 13.

Example 4

In Example 4:

• Commands are executed in the following sequence: 15 contains 14, 14 contains 13, 13 contains 12, and so forth.
• Privilege group 12 contains one privilege group: the privilege group 5.
• Privilege group 11 contains one privilege group: the privilege group 5.
• Privilege groups 0, 1, 2, 3, 4, 5 are reachable from privilege groups 12 and 11.

Example 5

In Example 5:

• Privilege group 9 contains no privilege groups.
• Privilege group 8 contains group 14.
• Privilege group 7 contains group 1.

Example 6

In Example 6, a number or name can specify the seven privilege groups 0, 5, 6, 7, 10, 13, and 15.

Example 7

In Example 7, privilege group 10 alias dailyAdmin has one member: privilege group 6 alias dailyTroll.

Example 8

Example 8 reverts one privilege group membership to its default setting. Prior to the execution of this command, the following group memberships were in place:

Reverting privilege group 9 to its default gives it one member: privilege group 8. This creates the circular dependency: 8 contains 12, 12 contains 11, 11 contains 10, 10 contains 9, and 9 contains 8.

Example 9

In Example 9, privilege group membership reverts to the default setting. All privilege groups revert to hierarchical settings: 15 contains 14, 14 contains 13, 13 contains 12, and so forth. Privilege group 0 is reachable from every privilege group.

Example 10

In this example, one privilege group membership reverts to its default setting. Privilege group 7 contains group 6.

Example 11

In Example 11, all alias settings are removed.

Example 12

host1#show privilege group

privilege      privilege          directly          all
 group          group              reachable      reachable
               alias              groups            groups *
----------    ----------        --------       -----------------
0             minUser           --             --
1             --                --             0
2             --                1              0 1
3             --                2              0 1 2
4             --                3              0 1 2 3
5             basicUser         4              0 1 2 3 4
6             dailyTroll        5              0 1 2 3 4 5
7             weekendAdmin      1              0 1
8             --                14             0 14
9             --                --             0
10            dailyAdmin        6              0 1 2 3 4 5 6
11            --                5              0 1 2 3 4 5
12            --                5              0 1 2 3 4 5
13            LI                10             0 1 2 3 4 5 6 10
14            --                --             0
15            superUser         10 14          0 1 2 3 4 5 6 10 14 15

*Privilege Group can reach itself 

Example 12 shows privilege group overrides in effect.

Example 13

host1#show privilege group 15 superUser
The following groups are directly reachable:
14
dailyAdmin

The following groups are reachable:
1
14
2
3
4
basicUser
dailyAdmin
dailyTroll
minUser

In Example 13, groups 14 and dailyAdmin are directly reachable and groups 1, 14, 2, 3, 4, basicUser, dailyAdmin, dailyTroll, and minUser are reachable.

privilege

• Use to change the privilege level of any command within a specified mode.
• Example 1

  host1(config)#privilege exec level 12 terminal width

• Example 2

  host1(config)#privilege exec all level 5 terminal

• Use the all keyword to change the privilege level of groups of commands. For more information, see Setting Privilege Levels for Multiple Commands.
• Use the reset version to restore the default privilege level for the command; issuing this command results in the show configuration command not showing the default privilege setting for the command.
• Use the no version to restore the default privilege level for the command; issuing this command results in the show configuration command showing the default privilege level of the command in its output.

  Note: You must access the CLI at privilege level 15 to view or use this command.

• privilege

privilege-group alias

• Use to give the privilege group name alias to the privilege group.
• Example

  host1(config-if)#privilege-group alias

• Use the no version to remove the privilege group alias.
• See privilege-group alias.

privilege-group membership

• Use to add the member group to or remove the member group from the privilege group.
• Example

  host1(config-if)#privilege-group membership

• Use the no version to restore one or all privilege groups to the default settings. When all privilege groups are reset to the default settings, the privilege group membership is hierarchical.
• See privilege-group membership.

privilege-group membership clear

• Use to clear a privilege group or all members from a privilege group.
• Example

  host1(config-if)#privilege-group membership clear

• There is no no version.
• See privilege-group membership clear.

CLI Command Exceptions

Changing command privilege levels can be a powerful security tool. However, changing the command privilege for some commands could render the CLI unusable and require you to reboot the router. To eliminate this possibility, the CLI does not allow you to remap the following commands:

• disable
• enable
• exit
• help
• privilege
• support

CLI Keyword Mapping

You cannot change the privilege level of keywords that are separated from the command string by a parameter in the command sequence. In other words, once the privilege algorithm reaches a parameter, the privilege algorithm that maps the commands to the desired privilege level stops and allows any keyword options that may follow in the command sequence. The algorithm then waits for a carriage return before looking at the next command sequence.

For example, you can change the command privilege level for the telnet command. However, because the telnet command is immediately followed by a variable (that is, a hostname or IP address) and not a keyword, you cannot change the privilege level for any keywords that follow the command.

Setting Privileges for Ambiguous Commands

The privilege command allows you to set command privilege levels for parts of commands that the CLI would normally consider ambiguous. In other words, you can set privilege levels by specifying letters that represent only the beginning part of a command or group of commands (even the first letter of a command or group of commands).

The following example sets the privilege level to 12 for any Exec mode (user or privileged) command that start with the letter “ t” :

The list of affected commands includes telnet, terminal, test, and traceroute.

The following example changes all the above commands, with the exception of the traceroute command, to level 15:

The following example changes all commands that start with the letters “ te” (for example, telnet, terminal, and test) and any second keyword that starts with the letter “ i” and follows a command that starts with the letters “ te” (for example, the keyword “ ip” in the command test ip) to level 1:

When you enter an ambiguous command and an exact match of the command is found, partial matches are ignored and are not modified.

For example, the traffic-class and traffic-class-group commands are available in Global Configuration mode. If you issue the privilege configure level 5 traffic-class command, an exact match is made to traffic-class, and traffic-class-group is not modified.

If you want to set the privilege level for both traffic-class and traffic-class-group and you do not want the exact match to be made to traffic-class, issue a partial command such as traffic-c. The privilege level of all commands that begin with traffic-c is modified.

Setting Privilege Levels for no or default Versions

The privilege command allows you to set command privilege levels for no and default versions of commands. However, setting the privilege level for either the no or default versions of a command does not set the privilege level of the affirmative version of the command. This means that you can have the no or default version of a command at a different privilege level than its affirmative version

Note: You can set the no or default command to a separate privilege level without specifying any other command to follow. This would force all commands that have a no or default version to function only for that privilege level and higher. For example, if you issue the privilege exec level 10 no command, all no versions in the Privileged Exec mode are available to users at level 10 and higher.

.

Setting Privilege Levels for Multiple Commands

The all keyword is a wildcard parameter that enables you to set privilege levels for multiple commands rather than setting them individually.

Setting Privilege Levels for All Commands in a Mode

You can set the privilege level for all commands within a specified mode. This setting includes all commands in modes that you can access from a specified mode.

If the command specified in the privilege command changes the configuration mode, all commands in the configuration will also be set to the specified privilege level. For more information about accessing modes, see Accessing Command Modes.

For example, issuing the configure command in Privileged Exec mode changes the configuration mode to Global Configuration. If you issue the privilege exec all level 5 configure command, all commands in Global Configuration mode become accessible to users who have CLI privileges at level 5 and higher. For more information about user privilege levels, see Privileged-Level Access.

Setting Privilege Levels for a Group of Commands

You can set the privilege level for a group of commands by using the beginning keyword in a command.

For example, if you issue the privilege configure all level 5 snmp command, all commands in Global Configuration mode that begin with snmp become accessible to users who have CLI privileges at level 5 and higher.

Using the Order of Precedence

The effectiveness of a privilege level that is set with the all keyword depends on its precedence level in the CLI. A privilege level is considered to be in effect only if a privilege level that is configured at a higher precedence level does not override it.

The CLI uses the following order of precedence:

1. Privilege level set for all commands within a mode, including modes that are accessed from another mode; for example, Global Configuration mode
2. Privilege level set for all commands that begin with the same keyword; for example, snmp commands
3. Privilege level set for individual commands; for example, snmp-server community

   Note: This order of precedence does not apply to privilege levels that are set without the all keyword.

In the following example, the privilege level of the snmp-server community command is set to level 11, the privilege level for all commands that begin with snmp is set to level 10, and the privilege level for all commands in Global Configuration mode is set to level 5.

The following show configuration output displays the privilege levels set above. The privilege levels for the snmp-server community command and the snmp-server group of commands are still present in the output. However, the privilege level of Global Configuration mode takes precedence, and the privilege levels of the other commands are rendered ineffective. Users can access all snmp commands at level 5 or higher.

Superseding Privilege Levels with the all Keyword

Issuing the all keyword supersedes privilege levels that were previously set without the all keyword.

In the following example, the snmp-server-community command is set to level 7, and the snmp keyword is set to level 6. The privilege level of the snmp keyword does not override the snmp-server community setting, because both of these commands are set without the all keyword.

All snmp commands are then changed to level 5 with the all keyword.

The show configuration output displays all snmp commands at level 5, superseding the existing level 6 setting. The snmp-server community command is still present in the show configuration output, but it is ineffective.

Removing the all Keyword

Using the no version or reset version removes the all keyword and restores default privilege levels.

If the privilege setting of the mode or command for which you are restoring default privilege levels takes precedence over any ineffective privilege settings, those settings will automatically take effect according to the order of precedence (see Using the Order of Precedence ).

The difference between the no version and the reset version is that the reset version removes the configuration from the show configuration output. This is useful when you want to remove a configuration that has been overridden and rendered ineffective by a privilege level that takes precedence.

Setting Default Line Privilege

The factory default privilege level for the console line and all vty lines is 1. However, you can use the privilege level command in Line Configuration mode to set the default login privilege for the console line or any number of vty lines.

To change the default privilege level:

1. Access line configuration mode on the router for the console.

   host1(config)#line console 0

   host1(config-line)#

   or on one or more vty lines

   host1(config)#line vty 0 12

   host1(config-line)#

   Note: The latter command configures vty lines 0 to 12.

2. Specify a starting privilege level for the line or lines.

   host1(config-line)#privilege level 5

   The default privilege level for the specified line (or lines) changes. The new values take effect immediately for any new users. If using the console line, you must exit out of the CLI and reestablish a connection before the default takes effect.

   If you are validating through RADIUS or TACACS+ and the server specifies an enable level, that enable level takes precedence over the line privilege level.

privilege level

• Use to change the default privilege level of the console line or one or more vty lines.
• Example

  host1(config-line)#privilege level 5

• Use the no or default version to restore the default privilege level for the command.

  Note: You must access the CLI at privilege level 15 to view or use this command.

• See privilege level.

Viewing CLI Privilege Information

You can view CLI privilege information for yourself (the current user), all connected users on the router, or for any modified CLI commands.

Viewing the Current User Privilege Level

Use the show privilege command to view your current privilege level.

show privilege

• Use to view your current privilege level.
• Example

  host1#show privilege

  Privilege level is 10

• There is no no version.
• See show privilege.

Viewing Privilege Levels for All Connected Users

Use the show users detail command to view the privilege levels for all users currently connected to the router. See Monitoring the FTP Server for information about the show users detail command.

Viewing Privilege Levels for Changed CLI Commands

Use the show configuration command to view the changed privilege levels for any modified CLI commands. See Saving the Current Configuration for information about the show configuration command.

Note: The show configuration command output displays output specific to the session access level. For example, if the session is enabled at level 5, issuing the show configuration command displays only output for commands at level 5 and below.

show privilege group

• Use to view the privilege groups.
• Example

  host1(config-if)#show privilege group superUser
  The following groups are directly reachable:
  14
  dailyAdmin

  The following groups are reachable:
  1
  14
  2
  3
  4
  basicUser
  dailyAdmin
  dailyTroll
  minUser

• There is no no version.
• See show privilege group.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.