Login Classes Overview
Junos OS Evolved login classes define the access privileges, permissions for using CLI commands and statements, and session idle time for the users assigned to that class. You (the system administrator) can apply a login class to an individual user account, thereby assigning certain privileges and permissions to the user.
Login Classes Overview
All users who can log in to a device running Junos OS Evolved must be in a login class. Each login class defines the following:
-
Access privileges that users have when they log in to the network device
-
Commands that users can and cannot execute
-
Configuration statements that users can and cannot view or modify
-
Amount of time a login session can be idle before the system disconnects the user
You can define any number of login classes. However, you only assign one login class to an individual user account.
Junos OS Evolved includes predefined login classes, which are listed in Table 1. You cannot modify the predefined login classes.
Login Class |
Permission Flag Set |
---|---|
|
clear, network, reset, trace, and view |
|
view |
|
all |
|
None |
SFTP and SCP server functionality is disabled when using
the operator
or read-only
predefined login classes.
Starting in Junos OS Evolved Release 23.4R2, the
superuser
login class cannot write to the
/var/log/ directory. Only the root
user can
write into /var/log/.
Permission Bits
Each top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. Each login class defines one or more permission bits that determine the access privileges.
Two forms for the permissions control whether a user can view or modify the individual parts of the configuration:
-
"Plain" form—Provides read-only capability for that permission type. An example is
interface
. -
-control
form—Provides read and write capability for that permission type. An example isinterface-control
.
Table 2 outlines the permission flags and associated access privileges.
Permission Flag |
Description |
---|---|
|
Can view the access configuration in operational mode or configuration mode. |
|
Can view and configure access information at the |
|
Can view user account information in operational mode or configuration mode. |
|
Can view user account information and configure it at the
|
|
Can access all operational mode commands and configuration mode commands. Can modify the configuration in all the configuration hierarchy levels. |
|
Can clear (delete) information that the device learns from the
network and stores in various network databases (using the
|
|
Can enter configuration mode (using the
|
|
Can perform all control-level operations—all operations
configured with the |
|
Can view field debug commands. Reserved for debugging support. |
|
Can view the firewall filter configuration in operational mode or configuration mode. |
|
Can view and configure firewall filter information at the
|
|
Can read from and write to the removable media. |
|
Can view the flow-tap configuration in operational mode or configuration mode. |
|
Can view and configure flow-tap information at the |
|
Can make flow-tap requests to the router or switch. For example,
a Dynamic Tasking Control Protocol (DTCP) client must have
Note:
The |
|
Can view profiler data. |
|
Can view the interface configuration in operational mode and configuration mode. |
|
Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information. Can modify the configuration at the following hierarchy levels:
|
|
Can perform system maintenance, including starting a local shell
on the device and becoming the superuser in the shell (using the
|
|
Can access the network by using the |
|
Can view the |
|
Can modify the |
|
Can restart software processes by using the
|
|
Can use the |
|
Can view general routing, routing protocol, and routing policy configuration information in configuration mode and operational mode. |
|
Can view and configure general routing at the |
|
Can view passwords and other authentication keys in the configuration. |
|
Can view and modify passwords and other authentication keys in the configuration. |
|
Can view security configuration information in operational mode and configuration mode. |
|
Can view and configure security information at the |
|
Can start a local shell on the router or
switch by using the |
|
Can view Simple Network Management Protocol (SNMP) configuration information in operational mode or configuration mode. |
|
Can view and modify SNMP configuration information at the
|
|
Can view Fiber Channel storage configuration information at the
|
|
Can modify Fiber Channel storage configuration information at the
|
|
Can view system-level information in operational mode or configuration mode. |
|
Can view and modify system-level configuration information at the
|
|
Can view trace file settings and configure trace file properties. |
|
Can modify trace file settings and configure trace file properties. |
|
Can view unified edge configuration at the |
|
Can modify unified edge related configuration at the
|
|
Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration. |
|
Can view all of the configuration excluding secrets, system scripts, and event options. Note:
Only users with the |
Deny or Allow Individual Commands and Statement Hierarchies
By default, all top-level CLI commands and statements have associated access privilege levels. Users can execute only those commands and view and configure only those statements for which they have access privileges. For each login class, you can explicitly deny or allow users the use of operational mode commands and configuration mode commands and configuration statement hierarchies that are otherwise allowed or denied by a permission bit.
Example: Create Login Classes with Specific Privileges
You define login classes to assign certain permissions or restrictions to groups of users, ensuring that sensitive commands are only accessible to the appropriate users. By default, Juniper Networks devices have four types of login classes with preset permissions: operator, read-only, superuser or super-user, and unauthorized.
You can create custom login classes to define different combinations of permissions that are not found in the default login classes. The following example shows three custom login classes, each with specific privileges and inactivity timers. Inactivity timers help protect network security by disconnecting a user from the network if the user is inactive for too long. Disconnecting the user prevents potential security risks that result when a user leaves an unattended account logged in to a switch or router. The permissions and inactivity timers shown here are only examples; you should customize the values to your organization.
The three login classes and their privileges are as follows. All three login classes use the same inactivity timer of 5 minutes.
observation
—Can only view statistics and the configurationoperation
—Can view and modify the configurationengineering
—Unlimited access and control
[edit] system { login { class observation { idle-timeout 5; permissions [ view ]; } class operation { idle-timeout 5; permissions [ admin clear configure interface interface-control network reset routing routing-control snmp snmp-control trace-control firewall-control rollback ]; } class engineering { idle-timeout 5; permissions all; } } }
Understanding Exact Match Access Privileges for Login Classes
Exact match access privileges let you explicitly allow or deny exact configuration strings to
define access control rules for login classes. Starting in Junos OS and Junos OS Evolved
Release 23.4R1, you can use the allow-configuration-exact-match
and
deny-configuration-exact-match
configuration statements to control exact
match access privileges.
Benefits
-
Restrict deletion of upper level configuration hierarchies while permitting deletion of specific sub-hierarchies. This supports more targeted command authorization.
-
Ensure
set
commands remain permitted on a hierarchy even if deletion is denied. This separation of authorization forset
anddelete
enables more flexible access controls. -
Allow or deny precise configuration command strings, in addition to regular expressions. This supports configuring highly specific access rules when needed.
-
Leverage advanced authorization rules from external TACACS+ servers, in addition to local rules. This facilitates centralized policy management.
You can configure exact match access privileges with the
allow-configuration-exact-match
and
deny-configuration-exact-match
configuration statements at the
[edit system login class name]
hierarchy level. Use
hierarchy strings starting with one of the following operators:
set
delete
active
deactivate
Wildcard characters are also supported. For example, the
deny-configuration-exact-match delete interfaces*
statement uses the *
wildcard character to specify all interfaces.
If delete
or deactivate
is denied for a given
configuration hierarchy, then set
or activate
commands can
still be allowed by using allow-configuration-exact-match
. If you configure
both allow-configuration-exact-match
and
deny-configuration-exact-match
with the same operator and configuration,
then configuration access will be denied.
The new exact match rules can be configured locally or on external TACACS+ servers.