[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Access Privilege Levels

Each top-level command-line interface (CLI) command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. The privilege level for each command and statement is listed in the summary chapter of the part in which that command or statement is described. The access privileges for each login class are defined by one or more permission flags.

To configure access privilege levels, include the permissions statement at the [edit system login class class-name] hierarchy level:



[edit system login class class-name]

permissions [ permissions ];

permissions specifies one or more of the permission flags listed in Table 11. Permission flags are not cumulative, so for each class you must list all the permission flags needed, including view to display information and configure to enter configuration mode. Two forms for the permissions control the individual parts of the configuration:

“Plain” form—Provides read-only capability for that permission type. An example is interface.
Form that ends in -control—Provides read and write capability for that permission type. An example is interface-control.

Table 11: Login Class Permission Flags

Permission Flag	Description
access	Can view the access configuration in configuration mode using the show configuration operational mode command.
access-control	Can view and configure access information at the [edit access] hierarchy level.
admin	Can view user account information in configuration mode and with the show configuration command.
admin-control	Can view user accounts and configure them at the [edit system login] hierarchy level.
all	Has all permissions.
clear	Can clear (delete) information learned from the network that is stored in various network databases using the clear commands.
configure	Can enter configuration mode using the configure command.
control	Can perform all control-level operations—all operations configured with the -control permission flags.
field	Reserved for field (debugging) support.
firewall	Can view the firewall filter configuration in configuration mode.
firewall-control	Can view and configure firewall filter information at the [edit firewall] hierarchy level.
floppy	Can read from and write to the removable media.
flow-tap	Can view the flow-tap configuration in configuration mode.
flow-tap control	Can view the flow-tap configuration in configuration mode and can configure flow-tap configuration information at the [edit services flow-tap] hierarchy level.
flow-tap-operation	Can make flow-tap requests to the router. For example, a Dynamic Tasking Control Protocol (DTCP) client must authenticate itself to JUNOS as an administrative user. That account must have flow-tap-operation permission. Note: flow-tap operation is not included in the all permission.
interface	Can view the interface configuration in configuration mode and with the show configuration operational mode command.
interface-control	Can view the interface configuration in configuration mode and with the show configuration operational mode command.
maintenance	Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell using the su root command, and can halt and reboot the router using the request system commands.
network	Can access the network by entering the ping, SSH, telnet, and traceroute commands.
reset	Can restart software processes using the restart command and can configure whether software processes are enabled or disabled at the [edit system processes] hierarchy level.
rollback	Can use the rollback command to return to a previously committed configuration other than the most recently committed one.
routing	Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes.
routing-control	Can view general routing, routing protocol, and routing policy configuration information and configure general routing at the [edit routing-options] hierarchy level, routing protocols at the [edit protocols] hierarchy level, and routing policy at the [edit policy-options] hierarchy level.
secret	Can view passwords and other authentication keys in the configuration.
secret-control	Can view passwords and other authentication keys in the configuration and can modify them in configuration mode.
security	Can view security configuration in configuration mode and with the show configuration operational mode command.
security-control	Can view and configure security information at the [edit security] hierarchy level.
shell	Can start a local shell on the router by entering the start shell command.
snmp	Can view Simple Network Management Protocol (SNMP) configuration information in configuration and operational modes.
snmp-control	Can view SNMP configuration information and modify SNMP configuration at the [edit snmp] hierarchy level.
system	Can view system-level information in configuration and operational modes.
system-control	Can view system-level configuration information and configure it at the [edit system] hierarchy level.
trace	Can view trace file settings in configuration and operational modes.
trace-control	Can view trace file settings and configure trace file properties.
view	Can use various commands to display current systemwide, routing table, and protocol-specific values and statistics. Cannot view secret configuration.

Example: Configuring Access Privilege Levels

Create two access privilege classes on the router, one for configuring and viewing user accounts only and the second for configuring and viewing SNMP parameters only:



[edit]
system {


login {


class user-accounts {
permissions [ configure admin admin-control ]; 
}




class network-mgmt {
permissions [ configure snmp snmp-control ];
}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]