Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


User Access on Logical Systems

Example: Configuring Logical System Administrators

This example shows how to configure logical system administrators.


You must be the primary administrator to assign system administrators to logical systems.


The primary administrator can assign one or more system administrators to each logical system. Logical system administrators are confined to the context of the logical system to which they are assigned. This means that logical system administrators cannot access any global configuration statements. This also means that command output is restricted to the context to which the logical system administrators are assigned.

Configuring a user account for each logical system helps in navigating the CLI. This enables you to log in to each logical system and be positioned within the root of that logical system as if you were in the root of a physical router.

In this example, LS1Admin has full permissions on Logical System LS1.

In this example, LS2Admin has the ability to view Logical System LS2 but not to change the configuration.


Figure 1 shows how logical system administration works.

Figure 1: Logical System AdministratorsLogical System Administrators


CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.


Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To assign logical system administrators to a logical systems:

  1. Configure the logical systems.

  2. Create the login classes and assign logical systems to the classes.

  3. Assign permissions to the login classes.

  4. Assign users to the login classes.

  5. If you are done configuring the device, commit the configuration.


To verify that the configuration is working properly, issue the show cli authorization command to view permissions for the current user.