Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring a Login Class (SRC CLI)

    Use the following configuration statements to configure login classes at the [edit] hierarchy level:

    system login class name {allow-commands allow-commands; allow-configuration allow-configuration;deny-commands deny-commands; deny-configuration deny-configuration; idle-timeout idle-timeout; permissions}

    To configure a login class:

    1. From configuration mode, access the configuration statement that configures login classes, and assign a name to the login class.
      [edit]user@host# edit system login class name
    2. Specify the permissions for the login class.
      [edit system login class name ]user@host# set permissions permissions

      For example, the following statement specifies that the user-account class can configure and view only user accounts:

      [edit system login class user-accounts]user@host# set permissions [configure admin admin-control]

      The following statement specifies that the network-mgmt class can configure and view only SNMP parameters:

      [edit system login class network-mgmt]user@host# set permissions [configure snmp snmp-control]
    3. (Optional) Configure access to specified operational mode commands that would otherwise be denied.
      [edit system login class name ]user@host# set allow-commands allow-commands

      For example, the following statement specifies that the network-mgmt class can install system software:

      [edit system login class network-mgmt]user@host# set allow-commands "request system install"
    4. (Optional) Deny access to specified operational mode commands that would otherwise be allowed.
      [edit system login class class-name ]user@host# set deny-commands deny-commands

      For example, the following statement specifies that the remote class cannot connect to the SRC software through Telnet:

      [edit system login class remote]user@host# set deny-commands telnet
    5. (Optional) Configure access to specified configuration mode commands that would otherwise be denied.
      [edit system login class name ]user@host# set allow-configuration allow-configuration

      For example, the following statement specifies that the network-mgmt class can issue configuration mode commands at the [routing-options] hierarchy level:

      [edit system login class network-mgmt]user@host# set allow-configuration “ routing options”
    6. (Optional) Deny access to specified configuration mode commands that would otherwise be allowed.
      [edit system login class name ]user@host# set deny-configuration deny-configuration

      For example, the following statement specifies that the network-mgmt class does not have access to the [snmp address] hierarchy level:

      [edit system login class network-mgmt]user@host# set deny-configuration “ snmp address”
    7. Specify the number of minutes that a session can be idle before it is automatically closed.
      [edit system login class class-name]user@host# set idle-timeout minutes
    8. Display the results of the configuration.
      [edit system login]
      user@host# show
      
      class network-mgmt {
       allow-commands "request system install";
        allow-configuration routing-options;
      deny-configuration "snmp address";
      }
      class remote {
        deny-configuration "system services telnet";
        permissions all;
      }
      

    Modified: 2014-06-10