Technical Documentation

Specifying Access Privileges for JUNOS Software Operational Mode Commands

You can specify extended regular expressions with the allow-commands and deny-commands statements to define a user’s access privileges to individual operational commands. Doing so takes precedence over login class permission bits set for a user. You can include one deny-commands and one allow-commands statement in each login class.

To explicitly allow an individual operational mode command that would otherwise be denied, include the allow-commands statement at the [edit system login class class-name] hierarchy level:

[edit system login class class-name]allow-commands "regular-expression”;

To explicitly deny an individual operational mode command that would otherwise be allowed, include the deny-commands statement at the [edit system login class class-name] hierarchy level:

[edit system login class class-name]deny-commands "regular-expression”;

If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Regular expressions are not case-sensitive.

Note: Modifiers are not supported within the regular expression string to be matched. If a modifier is used, then nothing is matched.

For example, the deny command set protocols does not match anything whereas protocols matches protocols.

allow-commands "show interfaces";

Published: 2010-04-26