Login Classes Overview

Junos OS login classes define the access privileges, permissions for using CLI commands and statements, and session idle time for the users assigned to that class. You (the system administrator) can apply a login class to an individual user account, thereby assigning certain privileges and permissions to the user.

Login Classes Overview

All users who can log in to a device running Junos OS must be in a login class. Each login class defines the following:

Access privileges that users have when they log in to the network device
Commands that users can and cannot execute
Configuration statements that users can and cannot view or modify
Amount of time a login session can be idle before the system disconnects the user

You can define any number of login classes. However, you only assign one login class to an individual user account.

Junos OS includes predefined login classes, which are listed in Table 1. You cannot modify the predefined login classes.

Table 1: Predefined System Login Classes
Login Class	Permission Flag Set
`operator`	clear, network, reset, trace, and view
`read-only`	view
`superuser` or `super-user`	all
`unauthorized`	None

Note:

You cannot modify a predefined login class name. If you issue the set command on a predefined class name, the device appends -local to the login class name and issues the following warning:
You cannot issue the rename or the copy command on a predefined login class. Doing so results in the following error message:

Permission Bits
Deny or Allow Individual Commands and Statement Hierarchies

Permission Bits

Each top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. Each login class defines one or more permission bits that determine the access privileges.

Two forms for the permissions control whether a user can view or modify the individual parts of the configuration:

"Plain" form—Provides read-only capability for that permission type. An example is interface.
-control form—Provides read and write capability for that permission type. An example is interface-control.

Table 2 outlines the permission flags and associated access privileges.

Table 2: Login Class Permission Flags
Permission Flag	Description
`access`	Can view the access configuration in operational mode or configuration mode.
`access-control`	Can view and configure access information at the `[edit access]` hierarchy level.
`admin`	Can view user account information in operational mode or configuration mode.
`admin-control`	Can view user account information and configure it at the `[edit system]` hierarchy level.
`all`	Can access all operational mode commands and configuration mode commands. Can modify the configuration in all the configuration hierarchy levels.
`clear`	Can clear (delete) information that the device learns from the network and stores in various network databases (using the `clear` commands).
`configure`	Can enter configuration mode (using the `configure` command) and commit configurations (using the `commit` command).
`control`	Can perform all control-level operations—all operations configured with the `-control` permission flags.
`field`	Can view field debug commands. Reserved for debugging support.
`firewall`	Can view the firewall filter configuration in operational mode or configuration mode.
`firewall-control`	Can view and configure firewall filter information at the `[edit firewall]` hierarchy level.
`floppy`	Can read from and write to the removable media.
`flow-tap`	Can view the flow-tap configuration in operational mode or configuration mode.
`flow-tap-control`	Can view and configure flow-tap information at the `[edit services flow-tap]` hierarchy level.
`flow-tap-operation`	Can make flow-tap requests to the router or switch. For example, a Dynamic Tasking Control Protocol (DTCP) client must have `flow-tap-operation` permission to authenticate itself to Junos OS as an administrative user. Note: The `flow-tap-operation` option is not included in the `all-control` permissions flag.
`idp-profiler-operation`	Can view profiler data.
`interface`	Can view the interface configuration in operational mode and configuration mode.
`interface-control`	Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information. Can modify the configuration at the following hierarchy levels: `[edit chassis]` `[edit class-of-service]` `[edit groups]` `[edit forwarding-options]` `[edit interfaces]`
`maintenance`	Can perform system maintenance, including starting a local shell on the device and becoming the superuser in the shell (using the `su root` command) and halting and rebooting the device (using the `request system` commands).
`network`	Can access the network by using the `ping`, `ssh`, `telnet`, and `traceroute` commands.
`pgcp-session-mirroring`	Can view the `pgcp` session mirroring configuration.
`pgcp-session-mirroring-control`	Can modify the `pgcp` session mirroring configuration.
`reset`	Can restart software processes by using the `restart` command.
`rollback`	Can use the `rollback` command to return to a previously committed configuration.
`routing`	Can view general routing, routing protocol, and routing policy configuration information in configuration mode and operational mode.
`routing-control`	Can view and configure general routing at the `[edit routing-options]` hierarchy level, routing protocols at the `[edit protocols]` hierarchy level, and routing policy information at the `[edit policy-options]` hierarchy level.
`secret`	Can view passwords and other authentication keys in the configuration.
`secret-control`	Can view and modify passwords and other authentication keys in the configuration.
`security`	Can view security configuration information in operational mode and configuration mode.
`security-control`	Can view and configure security information at the `[edit security]` hierarchy level.
`shell`	Can start a local shell on the router or switch by using the `start shell` command.
`snmp`	Can view Simple Network Management Protocol (SNMP) configuration information in operational mode or configuration mode.
`snmp-control`	Can view and modify SNMP configuration information at the `[edit snmp]` hierarchy level.
`system`	Can view system-level information in operational mode or configuration mode.
`system-control`	Can view and modify system-level configuration information at the `[edit system]` hierarchy level.
`trace`	Can view trace file settings and configure trace file properties.
`trace-control`	Can modify trace file settings and configure trace file properties.
`view`	Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration.
`view-configuration`	Can view all of the configuration excluding secrets, system scripts, and event options. Note: Only users with the `maintenance` permission can view commit script, op script, or event script configuration.

Deny or Allow Individual Commands and Statement Hierarchies

By default, all top-level CLI commands and statements have associated access privilege levels. Users can execute only those commands and view and configure only those statements for which they have access privileges. For each login class, you can explicitly deny or allow users the use of operational mode commands and configuration mode commands and configuration statement hierarchies that are otherwise allowed or denied by a permission bit.

Example: Create Login Classes with Specific Privileges

You define login classes to assign certain permissions or restrictions to groups of users, ensuring that sensitive commands are only accessible to the appropriate users. By default, Juniper Networks devices have four types of login classes with preset permissions: operator, read-only, superuser or super-user, and unauthorized.

You can create custom login classes to define different combinations of permissions that are not found in the default login classes. The following example shows three custom login classes, each with specific privileges and inactivity timers. Inactivity timers help protect network security by disconnecting a user from the network if the user is inactive for too long. Disconnecting the user prevents potential security risks that result when a user leaves an unattended account logged in to a switch or router. The permissions and inactivity timers shown here are only examples; you should customize the values to your organization.

The three login classes and their privileges are as follows. All three login classes use the same inactivity timer of 5 minutes.

observation—Can only view statistics and the configuration
operation—Can view and modify the configuration
engineering—Unlimited access and control

ON THIS PAGE

Login Classes Overview