[Contents] [Prev] [Next] [Index] [Report an Error]

Allowing or Denying Individual Commands

By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement. For information about CLI commands, see the JUNOS CLI User Guide.

Note: The all login class permission flags take precedence over extended regular expressions when a user with rollback permission issues the rollback command.

Expressions used to allow and deny commands for users on RADIUS/TACACS+ servers have been simplified. Instead of a single, long expression with multiple commands (for example, allow-command=cmd1 cmd2 cmdn), you can specify each command as a separate expression. This new syntax is valid for allow-configuration, deny-configuration, allow-command, deny-command, and user-permissions.

Users cannot issue the load override command when specifying an extended regular expression. Users can only issue the merge, replace, and patch configuration commands.

This section describes how to define a user’s access privileges to individual operational and configuration mode commands. It contains the following topics:

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.