[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring an SRC Login Class

Use the following configuration statements to configure login classes at the [edit] hierarchy level:

system login class name {
allow-commands allow-commands;
allow-configuration allow-configuration;
deny-commands deny-commands;
deny-configuration deny-configuration;
idle-timeout idle-timeout;
permissions
}

To configure a login class:

  1. From configuration mode, access the configuration statement that configures login classes, and assign a name to the login class.
    [edit]
    user@host# edit system login class name
  2. Specify the permissions for the login class.
    [edit system login class name ]
    user@host# set permissions permissions

    For example, the following statement specifies that the user-account class can configure and view only user accounts:

    [edit system login class user-accounts]
    user@host# set permissions [configure admin admin-control]

    The following statement specifies that the network-mgmt class can configure and view only SNMP parameters:

    [edit system login class network-mgmt]
    user@host# set permissions [configure snmp snmp-control]
  3. (Optional) Configure access to specified operational mode commands that would otherwise be denied.
    [edit system login class name ]
    user@host# set allow-commands allow-commands

    For example, the following statement specifies that the network-mgmt class can install system software:

    [edit system login class network-mgmt]
    user@host# set allow-commands "request system install"
  4. (Optional) Deny access to specified operational mode commands that would otherwise be allowed.
    [edit system login class class-name ]
    user@host# set deny-commands deny-commands

    For example, the following statement specifies that the remote class cannot connect to the SRC software through Telnet:

    [edit system login class remote]
    user@host# set deny-commands telnet
  5. (Optional) Configure access to specified configuration mode commands that would otherwise be denied.
    [edit system login class name ]
    user@host# set allow-configuration allow-configuration

    For example, the following statement specifies that the network-mgmt class can issue configuration mode commands at the [routing-options] hierarchy level:

    [edit system login class network-mgmt]
    user@host# set allow-configuration “ routing options”
  6. (Optional) Deny access to specified configuration mode commands that would otherwise be allowed.
    [edit system login class name ]
    user@host# set deny-configuration deny-configuration

    For example, the following statement specifies that the network-mgmt class does not have access to the [snmp address] hierarchy level:

    [edit system login class network-mgmt]
    user@host# set deny-configuration “ snmp address”
  7. Specify the number of minutes that a session can be idle before it is automatically closed.
    [edit system login class class-name]
    user@host# set idle-timeout minutes
  8. Display the results of the configuration. 
    [edit system login]
user@host# show


    

    class network-mgmt {
  allow-commands "request system install";
  allow-configuration routing-options;
deny-configuration "snmp address";
}
class remote {
  deny-configuration "system services telnet";
  permissions all;
}

    

    9. 





Examples: Configuring Access Privileges for SRC Operational
Mode Commands



 







The following example allows access to the request
system reboot command for the login class operator-and-boot that
has operator privileges defined by the clear, network, reset, and
view permissions.





[edit system login class operator-and-boot] 


user@host# set permissions [ clear network
reset view ] 



user@host# set allow-commands "request system
reboot" 








The following example denies access to set commands for the login class operator-no-set that has operator
privileges defined by the clear, network, reset, and view permissions.





[edit system login class operator-no-set] 


user@host# set permissions [ clear network
reset view ] 



user@host# set deny-commands "set" 








The following example allows software
installation but denies access to the show nic command for
the login class operator-no-set that has operator privileges defined
by the clear, network, reset, and view permissions.





[edit system login class operator-and-install-no-nic]


user@host# set permissions [ clear network
reset view ] 



user@host# set allow-commands "request system
install"


user@host# set deny-commands "show nic" 









Examples: Defining Access Privileges for SRC Configuration
Mode Commands



The following example does not allow access the C-series Controller
through a Telnet session for the login class remote that has permission
set to all :





[edit system login class remote]


user@host# set permissions all 



user@host# set deny-configuration "system
services telnet" 








The following example does not allow access to any
login class whose name begins with “ m”  for the login
class local that has permission set to all:





[edit system login class local]


user@host# set permissions all 



user@host# set deny-configuration "system
login class m.*"  








The following example does not allow access to configuration
mode commands at the [system login class] or [system
services hierarchy] levels for the login class config-admin that
has permission set to all:





[edit system login class config-admin]


user@host# set permissions all 



user@host# set deny-configuration "(system
login class) | (system services)" 








Related Topics




[Contents]
[Prev]
[Next]

[Index]

[Report an Error]










Copyright © 2009, Juniper Networks, Inc.
All rights reserved.
	Trademark Notice.