[Contents] [Prev] [Next] [Index] [Report an Error]

Defining Login Classes

All users who can log in to the router must be in a login class. With login classes, you define the following:

Access privileges users have when they are logged in to the router
Commands and statements that users can and cannot specify
How long a login session can be idle before it times out and the user is logged out

You can define any number of login classes. You then apply one login class to an individual user account, as described in Configuring User Accounts.

To define a login class and its access privileges, include the class statement at the [edit system login] hierarchy level:



[edit system login]

class class-name {

allow-commands "regular-expression"; 

allow-configuration "regular-expression";

deny-commands "regular-expression"; 

deny-configuration "regular-expression"; 

idle-timeout minutes;

permissions [ permissions ]; 
}

Use class-name to name the login class. The software contains a few predefined login classes, which are listed in Table 10. The predefined login classes cannot be modified.

Table 10: Default System Login Classes

Login Class	Permission Flag Set
operator	clear, network, reset, trace, view
read-only	view
super-user	all
unauthorized	None

Note: You cannot modify a predefined login class name. If you issue the set command on a predefined class name, the JUNOS software will append -local to the login class name. The following message also appears:



warning: '<class-name>' is a predefined
class name; changing to '<class-name>-local'

Note: You cannot issue the rename or copy command on a predefined login class. Doing so results in the following error message:



error: target '<class-name>' is
a predefined class

For each login class, you can do the following:

[Contents] [Prev] [Next] [Index] [Report an Error]