Specifying Access Privileges for JUNOS Software Operational Mode Commands

You can specify extended regular expressions with the allow-commands and deny-commands statements to define a user’s access privileges to individual operational commands. Doing so takes precedence over login class permission bits set for a user. You can include one deny-commands and one allow-commands statement in each login class.

To explicitly allow an individual operational mode command that would otherwise be denied, include the allow-commands statement at the [edit system login class class-name] hierarchy level:

To explicitly deny an individual operational mode command that would otherwise be allowed, include the deny-commands statement at the [edit system login class class-name] hierarchy level:

If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Regular expressions are not case-sensitive.

Note: Modifiers are not supported within the regular expression string to be matched. If a modifier is used, then nothing is matched. For example, the deny command set protocols does not match anything whereas protocols matches protocols.

Related Topics

• Regular Expressions for Allowing and Denying JUNOS Software Operational Mode Commands
• Example: Defining Access Privileges for Configuration Mode Commands
• Example: Configuring Access Privileges for Operational Mode Commands