Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Administrative Roles

Junos OS enables you to define a system user to act as a specific kind of administrator for the system. You can assign an administrative role to a user by configuring a login class to have the administrative role attributes. You can assign one of the role attributes such as audit-officer crypto-officer, security-officer, ids-officer to an administrative user.

How to Design Administrative Roles

A system user can be a member of a class that allows the user to act as a specific kind of administrator for the system. Requiring a specific role to view or modify an item restricts the extent of information a user can obtain from the system. It also limits how much of the system is open to modification or observation by a user. You (the system administrator) should use the following guidelines when you are designing administrative roles:

  • Do not allow any user to log in to the system as root.

  • Restrict each user to the smallest set of privileges needed to perform the user’s duties.

  • Do not allow any user to belong to a login class containing the shell permission flag. The shell permission flag allows users to run the start shell command from the CLI.

  • Allow users to have rollback permissions. Rollback permissions allow users to undo an action performed by an administrator but does not allow them to commit the changes.

You can assign an administrative role to a user by configuring a login class to have the privileges required for the role. You can configure each class to allow or deny access to configuration statements and commands by name. These restrictions override and take precedence over any permission flags also configured in the class. You can assign one of the following role attributes to an administrative user:

  • Crypto-administrator—Allows the user to configure and monitor cryptographic data.

  • Security-administrator—Allows the user to configure and monitor security data.

  • Audit-administrator—Allows the user to configure and monitor audit data.

  • IDS-administrator—Allows the user to monitor and clear the intrusion detection service (IDS) security logs.

Each role can perform the following specific management functions:

  • Cryptographic Administrator

    • Configures the cryptographic self-test.

    • Modifies the cryptographic security data parameters.

  • Audit Administrator

    • Configures and deletes the audit review search-and-sort feature.

    • Searches and sorts audit records.

    • Configures search and sort parameters.

    • Manually deletes audit logs.

  • Security Administrator

    • Invokes, determines, and modifies the cryptographic self-test behavior.

    • Enables, disables, determines, and modifies the audit analysis and audit selection functions, and configures the device to automatically delete audit logs.

    • Enables or disables security alarms.

    • Specifies limits for quotas on Transport Layer connections.

    • Specifies the limits, network identifiers, and time periods for quotas on controlled connection-oriented resources.

    • Specifies the network addresses permitted to use Internet Control Message Protocol (ICMP) or Address Resolution Protocol (ARP).

    • Configures the time and date used in time stamps.

    • Queries, modifies, deletes, and creates the information flow or access control rules and attributes for the unauthenticated information flow security function policy (SFP), the authenticated information flow security function policy, the unauthenticated device services, and the discretionary access control policy.

    • Specifies initial values that override default values when object information is created under unauthenticated information flow SFP, the authenticated information flow SFP, the unauthenticated target of evaluation (TOE) services, and the discretionary access control policy.

    • Creates, deletes, or modifies the rules that control the address from which management sessions can be established.

    • Specifies and revokes security attributes associated with the users, subjects, and objects.

    • Specifies the percentage of audit storage capacity at which the device alerts administrators.

    • Handles authentication failures and modifies the number of failed authentication attempts through SSH or from the CLI that can occur before progressive throttling is enforced for further authentication attempts and before the connection is dropped.

    • Manages basic network configuration of the device.

  • IDS Administrator—Specifies IDS security alarms, intrusion alarms, audit selections, and audit data.

You must set the security-role attribute in the classes created for these administrative roles. This attribute restricts which users can show and clear the security logs, actions that cannot be performed through configuration alone.

For example, you must set the security-role attribute in the ids-admin class created for the IDS administrator role if you want to restrict clearing and showing IDS logs to the IDS administrator role. Likewise, you must set the security-role to one of the other admin values to restrict that class from being able to clear and show non-IDS logs only.


When a user deletes an existing configuration, the configuration statements under the hierarchy level of the deleted configuration (the child objects that the user does not have permission to modify) remain in the device.

Example: How to Configure Administrative Roles

This example shows how to configure individual administrative roles for a distinct, unique set of privileges apart from all other administrative roles.


No action beyond device initialization is required before configuring this feature.


This example illustrates how to configure four admin user roles:

  • audit-officer of the class audit-admin

  • crypto-officer of the class crypto-admin

  • security-officer of the class security-admin

  • ids-officer of the class ids-admin

When a security-admin class is configured, the privileges for creating administrators are revoked from the user who created the security-admin class. Creation of new users and logins is at the discretion of the security-officer.

In this example, you create the four administrative user roles shown in the preceding list (audit admin, crypto admin, security admin, and ids admin). For each role, you assign relevant permission flags for the role. You then allow or deny access to configuration statements and commands by name for each administrative role. These specific restrictions take precedence over the permission flags configured in the class. For example, only the crypto-admin can run the request system set-encryption-key command, which requires having the security permission flag to access it. Only the security-admin can include the system time-zone statement in the configuration, which requires having the system-control permission flag.



CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit in configuration mode.

Step-by-Step Procedure

To configure administrative roles:

  1. Create the audit-admin login class.

  2. Configure the audit-admin login class restrictions.

  3. Create the crypto-admin login class.

  4. Configure the crypto-admin login class restrictions.

  5. Create the security-admin login class.

  6. Configure the security-admin login class restrictions.

  7. Create the ids-admin login class.

  8. Configure the ids-admin login class restrictions.

  9. Assign users to the roles.

  10. Configure passwords for the users.


In configuration mode, confirm your configuration by entering the show system command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

After you configure the device, enter commit in configuration mode.


Confirm that the configuration is working properly.

Verify the Login Permissions


Verify the login permissions for the current user.


In operational mode, enter the show cli authorization command to verify the user's login permissions.

This output summarizes the login permissions.

How to Configure a Local Administrator Account

Superuser privileges give a user permission to use any command on the router and are generally reserved for a select few users such as system administrators. You (the system administrator) need to protect the local administrator account with a password to prevent unauthorized users from gaining access to superuser commands. These superuser commands can be used to alter the system configuration. Users with RADIUS authentication should also configure a local password. If the RADIUS server does not respond, the login process reverts to local password authentication on the local administrator account.

The following example shows how to configure a password-protected local administration account called admin with superuser privileges: