• Download PDF: Configuring an SRC Login Class 

• Related Topics
• Configuring Login Classes (C-Web Interface)
• Configuring a System Login Announcement (SRC CLI)
• Viewing Information About the Users on the System
• Configuring Authentication for SRC User Accounts
• Example: SRC User Accounts

Configuring an SRC Login Class

Use the following configuration statements to configure login classes at the [edit] hierarchy level:

system login class name {

allow-commands allow-commands;

allow-configuration allow-configuration;

deny-commands deny-commands;

deny-configuration deny-configuration;

idle-timeout idle-timeout;

permissions

}

To configure a login class:

1. From configuration mode, access the configuration statement that configures login classes, and assign a name to the login class.

   [edit]

   user@host# edit system login class name

2. Specify the permissions for the login class.

   [edit system login class name ]

   user@host# set permissions permissions

   For example, the following statement specifies that the user-account class can configure and view only user accounts:

   [edit system login class user-accounts]

   user@host# set permissions [configure admin admin-control]

   The following statement specifies that the network-mgmt class can configure and view only SNMP parameters:

   [edit system login class network-mgmt]

   user@host# set permissions [configure snmp snmp-control]

3. (Optional) Configure access to specified operational mode commands that would otherwise be denied.

   [edit system login class name ]

   user@host# set allow-commands allow-commands

   For example, the following statement specifies that the network-mgmt class can install system software:

   [edit system login class network-mgmt]

   user@host# set allow-commands "request system install"

4. (Optional) Deny access to specified operational mode commands that would otherwise be allowed.

   [edit system login class class-name ]

   user@host# set deny-commands deny-commands

   For example, the following statement specifies that the remote class cannot connect to the SRC software through Telnet:

   [edit system login class remote]

   user@host# set deny-commands telnet

5. (Optional) Configure access to specified configuration mode commands that would otherwise be denied.

   [edit system login class name ]

   user@host# set allow-configuration allow-configuration

   For example, the following statement specifies that the network-mgmt class can issue configuration mode commands at the [routing-options] hierarchy level:

   [edit system login class network-mgmt]

   user@host# set allow-configuration “ routing options”

6. (Optional) Deny access to specified configuration mode commands that would otherwise be allowed.

   [edit system login class name ]

   user@host# set deny-configuration deny-configuration

   For example, the following statement specifies that the network-mgmt class does not have access to the [snmp address] hierarchy level:

   [edit system login class network-mgmt]

   user@host# set deny-configuration “ snmp address”

7. Specify the number of minutes that a session can be idle before it is automatically closed.

   [edit system login class class-name]

   user@host# set idle-timeout minutes

8. Display the results of the configuration.

   [edit system login]
   user@host# show
   
   

   class network-mgmt {
     allow-commands "request system install";
     allow-configuration routing-options;
   deny-configuration "snmp address";
   }
   class remote {
     deny-configuration "system services telnet";
     permissions all;
   }
   

Examples: Configuring Access Privileges for SRC Operational Mode Commands

The following example allows access to the request system reboot command for the login class operator-and-boot that has operator privileges defined by the clear, network, reset, and view permissions.

[edit system login class operator-and-boot]

user@host# set permissions [ clear network reset view ]

user@host# set allow-commands "request system reboot"

The following example denies access to set commands for the login class operator-no-set that has operator privileges defined by the clear, network, reset, and view permissions.

[edit system login class operator-no-set]

user@host# set permissions [ clear network reset view ]

user@host# set deny-commands "set"

The following example allows software installation but denies access to the show nic command for the login class operator-no-set that has operator privileges defined by the clear, network, reset, and view permissions.

[edit system login class operator-and-install-no-nic]

user@host# set permissions [ clear network reset view ]

user@host# set allow-commands "request system install"

user@host# set deny-commands "show nic"

Examples: Defining Access Privileges for SRC Configuration Mode Commands

The following example does not allow access the C-series Controller through a Telnet session for the login class remote that has permission set to all :

[edit system login class remote]

user@host# set permissions all

user@host# set deny-configuration "system services telnet"

The following example does not allow access to any login class whose name begins with “ m” for the login class local that has permission set to all:

[edit system login class local]

user@host# set permissions all

user@host# set deny-configuration "system login class m.*"

The following example does not allow access to configuration mode commands at the [system login class] or [system services hierarchy] levels for the login class config-admin that has permission set to all:

[edit system login class config-admin]

user@host# set permissions all

user@host# set deny-configuration "(system login class) | (system services)"