Specifying Access Privileges for Junos OS Operational Mode Commands

You can specify extended regular expressions with the allow-commands and deny-commands statements to define a user’s access privileges to individual operational commands. Doing so takes precedence over login class permission bits set for a user. You can include one deny-commands and one allow-commands statement in each login class.

To explicitly allow an individual operational mode command that would otherwise be denied, include the allow-commands statement at the [edit system login class class-name] hierarchy level:

[edit system login class class-name]allow-commands "regular-expression”;

To explicitly deny an individual operational mode command that would otherwise be allowed, include the deny-commands statement at the [edit system login class class-name] hierarchy level:

[edit system login class class-name]deny-commands "regular-expression”;

If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Regular expressions are not case-sensitive.

Note: Modifiers are not supported within the regular expression string to be matched. If a modifier is used, then nothing is matched.

For example, the deny command set protocols does not match anything whereas protocols matches protocols.

allow-commands "show interfaces";
  • Explicitly allowing operational mode commands using the allow-commands statement adds to the regular permissions set using the permissions statement. Likewise, explicitly denying operational mode commands using the deny-commands statement removes permissions for the specified commands, from the default permissions provided by the permissions statement.

    For example, if a login class has permissions view and the allow-commands statement includes the request system software add command, the specified login class user can install software, in addition to the permissions specified by the view permission flag. Likewise, if a login class has permissions all and the deny-command statement includes the request system software add command, the specified login class user can perform all operations allowed by the all permissions flag, except installing software issuing the request system software add command.

  • If you allow and deny the same commands, the allow-commands permissions takes precedence over the permissions specified by the deny-commands. For example, if you include allow-commands “request system software add” and deny-commands “request system software add”, the login class user is allowed to install software using the request system software add command.

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.