Junos OS Access Privilege Levels Overview
Each top-level command-line interface (CLI) command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. The access privileges for each login class are defined by one or more permission flags.
For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement.
The following sections provide additional information:
Junos OS Login Class Permission Flags
The permissions statement specifies one or more of the permission flags listed in Table 1. Permission flags are not cumulative, so for each class you must list all the permission flags needed, including view to display information and configure to enter configuration mode. Two forms for the permissions control the individual parts of the configuration:
- “Plain” form—Provides read-only capability for that permission type. An example is interface.
- Form that ends in -control—Provides read and write capability for that permission type. An example is interface-control.
Table 1 lists the Junos OS login class permission flags that you can configure by including the permissions statement at the [edit system login class class-name] hierarchy level:
Table 1: Login Class Permission Flags
Permission Flag | Description |
|---|---|
access | Can view the access configuration in configuration mode using the show configuration operational mode command. |
access-control | Can view and configure access information at the [edit access] hierarchy level. |
admin | Can view user account information in configuration mode and with the show configuration command. |
admin-control | Can view user accounts and configure them at the [edit system login] hierarchy level. |
all | Has all permissions. |
clear | Can clear (delete) information learned from the network that is stored in various network databases using the clear commands. |
configure | Can enter configuration mode using the configure command. |
control | Can perform all control-level operations—all operations configured with the -control permission flags. |
field | Reserved for field (debugging) support. |
firewall | Can view the firewall filter configuration in configuration mode. |
firewall-control | Can view and configure firewall filter information at the [edit firewall] hierarchy level. |
floppy | Can read from and write to the removable media. |
flow-tap | Can view the flow-tap configuration in configuration mode. |
flow-tap control | Can view the flow-tap configuration in configuration mode and can configure flow-tap configuration information at the [edit services flow-tap] hierarchy level. |
flow-tap-operation | Can make flow-tap requests to the router. For example, a Dynamic Tasking Control Protocol (DTCP) client must authenticate itself to Junos as an administrative user. That account must have flow-tap-operation permission. Note: flow-tap operation is not included in the all permission. |
interface | Can view the interface configuration in configuration mode and with the show configuration operational mode command. |
interface-control | Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information. Can edit configuration at the following hierarchy levels:
|
maintenance | Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell using the su root command, and can halt and reboot the router using the request system commands. |
network | Can access the network by entering the ping, SSH, telnet, and traceroute commands. |
reset | Can restart software processes using the restart command and can configure whether software processes are enabled or disabled at the [edit system processes] hierarchy level. |
rollback | Can use the rollback command to return to a previously committed configuration other than the most recently committed one. |
routing | Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes. |
routing-control | Can view general routing, routing protocol, and routing policy configuration information and configure general routing at the [edit routing-options] hierarchy level, routing protocols at the [edit protocols] hierarchy level, and routing policy at the [edit policy-options] hierarchy level. |
secret | Can view passwords and other authentication keys in the configuration. |
secret-control | Can view passwords and other authentication keys in the configuration and can modify them in configuration mode. |
security | Can view security configuration in configuration mode and with the show configuration operational mode command. |
security-control | Can view and configure security information at the [edit security] hierarchy level. |
shell | Can start a local shell on the router by entering the start shell command. |
snmp | Can view Simple Network Management Protocol (SNMP) configuration information in configuration and operational modes. |
snmp-control | Can view SNMP configuration information and modify SNMP configuration at the [edit snmp] hierarchy level. |
system | Can view system-level information in configuration and operational modes. |
system-control | Can view system-level configuration information and configure it at the [edit system] hierarchy level. |
trace | Can view trace file settings in configuration and operational modes. |
trace-control | Can view trace file settings and configure trace file properties. |
view | Can use various commands to display current systemwide, routing table, and protocol-specific values and statistics. Cannot view secret configuration. |
Allowing or Denying Individual Commands for Junos OS Login Classes
By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement.
 |
|
