Access to Individual Commands and Configuration Statements (SRC CLI)
By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can deny or allow the use of specified operational and configuration mode commands that would otherwise be permitted or not allowed by a specified privilege level.
Regular Expressions for Allow and Deny Statements
You can use extended regular expressions to specify which commands to allow or deny. By using extended regular expressions, you can list a number of commands in each statement.
You specify these regular expressions in the following statements at the [edit system login class] hierarchy level:
Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 19 lists common regular expression operators.
Table 19: Common Regular Expression Operators to Allow or Deny Operational Mode and Configuration Mode Commands
|Operation Mode and Configuration Mode|
One of the two terms on either side of the pipe.
Character at the beginning of an expression. Used to denote where the command begins, where there might be some ambiguity.
Character at the end of a command. Used to denote a command that must be matched exactly up to that point. For example, allow-commands "show interfaces$" means that the user can issue the show interfaces command but cannot issue show interfaces detail or show interfaces extensive.
Range of letters or digits. To separate the start and end of a range, use a hyphen ( - ).
A group of commands, indicating an expression to be evaluated; the result is then evaluated as part of the overall expression.
|Configuration Mode Only|
0 or more terms.
One or more terms.
Any character except for a space.
Guidelines for Using Regular Expressions
Keep in mind the following considerations when using regular expressions to specify which statements or commands to allow or deny:
Regular expressions are not case-sensitive.
If a regular expression contains a syntax error, authentication fails and the user cannot log in.
If a regular expression does not contain any operators, all varieties of the command are allowed.
Follow these guidelines when using regular expressions:
Enclose the following in quotation marks:
A command name or regular expression that contains:
An extended regular expression that connects two or more terms with the pipe (|) symbol. For example:[edit system login class class-name ]user@host# set deny-configuration "(system login class) | (system services)"
Do not use spaces between regular expressions separated with parentheses and connected with the pipe (|) symbol.
Specify the full paths in the extended regular expressions with the allow-configuration and deny-configuration options.
You cannot define access to keywords such as set or edit.
Timeout Value for Idle Login Sessions
An idle login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard. By default, a login session remains established until a user logs out of the system, even if that session is idle. To close idle sessions automatically, you configure a time limit for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes.
For users who belong to a login class for which an idle timeout is configured, the CLI displays messages similar to the following when an idle user session times out.
If you configure a timeout value, the session closes after the specified time has elapsed, except if the user is running commands such as ssh, start shell, or telnet.
The C-Web interface session closes after the specified time has elapsed with no message, and returns to the login window.