[Contents] [Prev] [Next] [Index] [Report an Error]

Specifying Configuration Mode Commands

You can specify extended regular expressions with the allow-configuration and deny-configuration attributes to define user access privileges to parts of the configuration hierarchy or individual configuration mode commands. Doing so overrides any login class permission flags set for a user. You can also use wildcards to restrict access. When you define access privileges to parts of the configuration hierarchy or individual configuration mode commands, do the following:

For more information about how to use wildcards, see Table 9.

To explicitly allow an individual configuration mode command that would otherwise be denied, include the allow-configuration statement at the [edit system login class class-name] hierarchy level:

[edit system login class class-name]
allow-configuration regular-expression;

To explicitly deny an individual configuration mode command that would otherwise be allowed, include the deny-configuration statement at the [edit system login class class-name] hierarchy level:

[edit system login class class-name]
deny-configuration regular-expression;

If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Regular expressions are not case-sensitive.

You can include one deny-configuration and one allow-configuration statement in each login class.

Use extended regular expressions to specify which configuration mode commands are denied or allowed. You specify these regular expressions in the allow-configuration and deny-configuration statements at the [edit system login class] hierarchy level, or by specifying attributes, that are specific to JUNOS, in your TACACS+ or RADIUS authentication server’s configuration. You must specify that these regular expressions are sent as the value of Juniper Networks vendor-specific attributes. If regular expressions are received during TACACS+ or RADIUS authentication, they merge with any regular expressions configured on the local router. For information about TACACS+ or RADIUS authentication, see the JUNOS System Basics Configuration Guide.

Command regular expressions implement the extended (modern) regular expressions, as defined in POSIX 1003.2. Table 9 lists common regular expression operators.

Table 9: Configuration Mode Commands—Common Regular Expression Operators

Operator

Match...

|

One of two or more terms separated by the pipe. Each term must be a complete standalone expression enclosed in parentheses ( ), with no spaces between the pipe and the adjacent parentheses. For example, (show system alarms)|(show system software).

^

At the beginning of an expression, used to denote where the command begins, and where there might be some ambiguity.

$

Character at the end of a command. Used to denote a command that must be matched exactly up to that point. For example, allow-command "show interfaces$" means that the user can issue the show interfaces command but cannot issue the show interfaces detail or show interfaces extensive command.

[ ]

Range of letters or digits. To separate the start and end of a range, use a hyphen ( - ).

( )

A group of commands indicating a complete, standalone expression to be evaluated; the result is then evaluated as part of the overall expression. Parantheses must always be used in conjunction with pipe operators as explained previously.

*

Zero or more terms.

+

One or more terms.

.

Any character except for a space " ".
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.