 | Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |
Use the following configuration statements to configure login classes at the [edit] hierarchy level:
- system login class name {
- allow-commands allow-commands;
- allow-configuration allow-configuration;
- deny-commands deny-commands;
- deny-configuration deny-configuration;
- idle-timeout idle-timeout;
- permissions
- }
To configure a login class:
For example, the following statement specifies that the user-account class can configure and view only user accounts:
The following statement specifies that the network-mgmt class can configure and view only SNMP parameters:
For example, the following statement specifies that the network-mgmt class can install system software:
For example, the following statement specifies that the remote class cannot connect to the SRC software through Telnet:
For example, the following statement specifies that the network-mgmt class can issue configuration mode commands at the [routing-options] hierarchy level:
For example, the following statement specifies that the network-mgmt class does not have access to the [snmp address] hierarchy level:
[edit system login] user@host# show
class network-mgmt {
allow-commands "request system install";
allow-configuration routing-options;
deny-configuration "snmp address";
}
class remote {
deny-configuration "system services telnet";
permissions all;
}
Examples: Configuring Access Privileges for SRC Operational Mode Commands
The following example allows access to the request system reboot command for the login class operator-and-boot that has operator privileges defined by the clear, network, reset, and view permissions.
- [edit system login class operator-and-boot]
- user@host# set permissions [ clear network
reset view ]
- user@host# set allow-commands "request system
reboot"
The following example denies access to set commands for the login class operator-no-set that has operator privileges defined by the clear, network, reset, and view permissions.
- [edit system login class operator-no-set]
- user@host# set permissions [ clear network
reset view ]
- user@host# set deny-commands "set"
The following example allows software installation but denies access to the show nic command for the login class operator-no-set that has operator privileges defined by the clear, network, reset, and view permissions.
- [edit system login class operator-and-install-no-nic]
- user@host# set permissions [ clear network
reset view ]
- user@host# set allow-commands "request system
install"
- user@host# set deny-commands "show nic"
Examples: Defining Access Privileges for SRC Configuration Mode Commands
The following example does not allow access the C-series Controller through a Telnet session for the login class remote that has permission set to all :
- [edit system login class remote]
- user@host# set permissions all
- user@host# set deny-configuration "system
services telnet"
The following example does not allow access to any login class whose name begins with “ m” for the login class local that has permission set to all:
- [edit system login class local]
- user@host# set permissions all
- user@host# set deny-configuration "system
login class m.*"
The following example does not allow access to configuration mode commands at the [system login class] or [system services hierarchy] levels for the login class config-admin that has permission set to all:
- [edit system login class config-admin]
- user@host# set permissions all
- user@host# set deny-configuration "(system
login class) | (system services)"
| Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |