Specifying Access Privileges for JUNOS Software Configuration Mode Commands
You can specify extended regular expressions with the allow-configuration and deny-configuration attributes to define user access privileges to parts of the configuration hierarchy or individual configuration mode commands. Doing so overrides login class permission bits set for a user. You can also use wildcards to restrict access. When you define access privileges to parts of the configuration hierarchy or individual configuration mode commands, do the following:
- Specify the full paths in the extended regular expressions with the allow-configuration and deny-configuration attributes.
- Enclose parentheses around an extended regular expression
that connects two or more expressions with the pipe | symbol. For
example: [edit system login class class-name]user@host# set deny-configuration "(system login class) | (system services)"
Note: Each expression separated by a pipe (|) symbol must be a complete standalone expression, and must be enclosed in parentheses ( ). Do not use spaces between regular expressions separated with parentheses and connected with the pipe (|) symbol. You cannot define access to keywords such as set, edit, or activate.
To explicitly allow an individual configuration mode command that would otherwise be denied, include the allow-configuration statement at the [edit system login class class-name] hierarchy level:
To explicitly deny an individual configuration mode command that would otherwise be allowed, include the deny-configuration statement at the [edit system login class class-name] hierarchy level:
You can include one deny-configuration and one allow-configuration statement in each login class.
