[an error occurred while processing this directive][an error occurred while processing this directive]

Specifying Access Privileges for JUNOS Software Configuration Mode Commands

You can specify extended regular expressions with the allow-configuration and deny-configuration attributes to define user access privileges to parts of the configuration hierarchy or individual configuration mode commands. Doing so overrides login class permission bits set for a user. You can also use wildcards to restrict access. When you define access privileges to parts of the configuration hierarchy or individual configuration mode commands, do the following:

  • Specify the full paths in the extended regular expressions with the allow-configuration and deny-configuration attributes.
  • Enclose parentheses around an extended regular expression that connects two or more expressions with the pipe | symbol. For example:
    [edit system login class class-name]user@host# set deny-configuration "(system login class) | (system services)"

    Note: Each expression separated by a pipe (|) symbol must be a complete standalone expression, and must be enclosed in parentheses ( ). Do not use spaces between regular expressions separated with parentheses and connected with the pipe (|) symbol. You cannot define access to keywords such as set, edit, or activate.

To explicitly allow an individual configuration mode command that would otherwise be denied, include the allow-configuration statement at the [edit system login class class-name] hierarchy level:

[edit system login class class-name]allow-configuration "regular-expression";

To explicitly deny an individual configuration mode command that would otherwise be allowed, include the deny-configuration statement at the [edit system login class class-name] hierarchy level:

[edit system login class class-name]deny-configurationregular-expression";

You can include one deny-configuration and one allow-configuration statement in each login class.


Published: 2010-04-26

[an error occurred while processing this directive]