Access to Individual Commands and Configuration Statements (SRC CLI)

By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can deny or allow the use of specified operational and configuration mode commands that would otherwise be permitted or not allowed by a specified privilege level.

Regular Expressions for Allow and Deny Statements

You can use extended regular expressions to specify which commands to allow or deny. By using extended regular expressions, you can list a number of commands in each statement.

You specify these regular expressions in the following statements at the [edit system login class] hierarchy level:

Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 18 lists common regular expression operators.

Table 18: Common Regular Expression Operators to Allow or Deny Operational Mode and Configuration Mode Commands



Operation Mode and Configuration Mode


One of the two terms on either side of the pipe.


Character at the beginning of an expression. Used to denote where the command begins, where there might be some ambiguity.


Character at the end of a command. Used to denote a command that must be matched exactly up to that point. For example, allow-commands "show interfaces$" means that the user can issue the show interfaces command but cannot issue show interfaces detail or show interfaces extensive.

[ ]

Range of letters or digits. To separate the start and end of a range, use a hyphen ( - ).

( )

A group of commands, indicating an expression to be evaluated; the result is then evaluated as part of the overall expression.

Configuration Mode Only


0 or more terms.


One or more terms.

. (dot)

Any character except for a space.

Guidelines for Using Regular Expressions

Keep in mind the following considerations when using regular expressions to specify which statements or commands to allow or deny:

Follow these guidelines when using regular expressions:

Timeout Value for Idle Login Sessions

An idle login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard. By default, a login session remains established until a user logs out of the system, even if that session is idle. To close idle sessions automatically, you configure a time limit for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes.

For users who belong to a login class for which an idle timeout is configured, the CLI displays messages similar to the following when an idle user session times out.

user@host# Session will be closed in 5 minutes if there is no activity.Warning: session will be closed in 1 minute if there is no activityWarning: session will be closed in 10 seconds if there is no activityIdle timeout exceeded: closing session

If you configure a timeout value, the session closes after the specified time has elapsed, except if the user is running commands such as ssh, start shell, or telnet.

The C-Web interface session closes after the specified time has elapsed with no message, and returns to the login window.

Related Documentation