Supported Platforms
Related Documentation
- EX, J, M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- Configuring Access Privilege Levels
Understanding Junos OS Access Privilege Levels
Each top-level command-line interface (CLI) command and each configuration statement have an access privilege level associated with them. Users can execute only those commands and configure and view only those statements for which they have access privileges. The access privileges for each login class are defined by one or more permission flags.
For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement.
The following sections provide additional information about permissions:
Junos OS Login Class Permission Flags
The permissions statement specifies one or more of the permission flags listed in Table 1. Permission flags are not cumulative, so for each class you must list all the permission flags needed, including view to display information and configure to enter configuration mode. Two forms of permissions control for individual parts of the configuration are:
- "Plain” form—Provides read-only capability for that permission type. An example is interface.
- Form that ends in -control—Provides read and write capability for that permission type. An example is interface-control.
Table 1 lists the Junos® operating system (Junos OS) login class permission flags that you can configure by including the permissions statement at the [edit system login class class-name] hierarchy level.
Table 1: Login Class Permission Flags
Permission Flag | Description |
---|---|
access | Can view the access configuration in configuration mode and with the show configuration operational mode command. |
access-control | Can view and configure access information at the [edit access] hierarchy level. |
admin | Can view user account information in configuration mode and with the show configuration operational mode command. |
admin-control | Can view user accounts and configure them at the [edit system login] hierarchy level. |
all-control | Can access all operational mode commands and configuration mode commands. Can modify configuration in all the configuration hierarchy levels. |
clear | Can clear (delete) information learned from the network that is stored in various network databases by using the clear commands. |
configure | Can enter configuration mode by using the configure command. |
control | Can perform all control-level operations—all operations configured with the -control permission flags. |
field | Can view field debug commands. Reserved for debugging support. |
firewall | Can view the firewall filter configuration in configuration mode. |
firewall-control | Can view and configure firewall filter information at the [edit firewall] hierarchy level. |
floppy | Can read from and write to the removable media. |
flow-tap | Can view the flow-tap configuration in configuration mode. |
flow-tap-control | Can view the flow-tap configuration in configuration mode and can configure flow-tap configuration information at the [edit services flow-tap] hierarchy level. |
flow-tap-operation | Can make flow-tap requests to the router or switch. For example, a Dynamic Tasking Control Protocol (DTCP) client must authenticate itself to the Junos OS as an administrative user. That account must have flow-tap-operation permission. Note: The flow-tap-operation option is not included in the all-control permissions flag. |
idp-profiler-operation | Can view profiler data. |
interface | Can view the interface configuration in configuration mode and with the show configuration operational mode command. |
interface-control | Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information. Can edit configuration at the following hierarchy levels:
|
maintenance | Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell by using the su root command, and can halt and reboot the router by using the request system commands. |
network | Can access the network by using the ping, ssh, telnet, and traceroute commands. |
pgcp-session-mirroring | Can view the pgcp session mirroring configuration. |
pgcp-session-mirroring-control | Can modify the pgcp session mirroring configuration. |
reset | Can restart software processes by using the restart command and can configure whether software processes are enabled or disabled at the [edit system processes] hierarchy level. |
rollback | Can use the rollback command to return to a previously committed configuration other than the most recently committed one. |
routing | Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes. |
routing-control | Can view general routing, routing protocol, and routing policy configuration information and can configure general routing at the [edit routing-options] hierarchy level, routing protocols at the [edit protocols] hierarchy level, and routing policy at the [edit policy-options] hierarchy level. |
secret | Can view passwords and other authentication keys in the configuration. |
secret-control | Can view passwords and other authentication keys in the configuration and can modify them in configuration mode. |
security | Can view security configuration in configuration mode and with the show configuration operational mode command. |
security-control | Can view and configure security information at the [edit security] hierarchy level. |
shell | Can start a local shell on the router or switch by using the start shell command. |
snmp | Can view Simple Network Management Protocol (SNMP) configuration information in configuration and operational modes. |
snmp-control | Can view SNMP configuration information and can modify SNMP configuration at the [edit snmp] hierarchy level. |
system | Can view system-level information in configuration and operational modes. |
system-control | Can view system-level configuration information and configure it at the [edit system] hierarchy level. |
trace | Can view trace file settings and configure trace file properties. |
trace-control | Can modify trace file settings and configure trace file properties. |
view | Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration. |
view-configuration | Can view all of the configuration excluding secrets, system scripts, and event options. Note: Only users with the maintenance permission can view commit script, op script, or event script configuration. |
Allowing or Denying Individual Commands for Junos OS Login Classes
By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement.
- The all login class permission bits take precedence over extended regular expressions when a user with rollback permission issues the rollback command.
- Expressions used to allow and deny commands for users on RADIUS and TACACS+ servers have been simplified. Instead of a single, long expression with multiple commands (allow-commands=cmd1 cmd2 ... cmdn), you can specify each command as a separate expression. This new syntax is valid for allow-configuration and deny-configuration, allow-commands and deny-commands, and all user permission bits.
- Users cannot issue the load override command when specifying an extended regular expression. Users can only issue the merge, replace, and patch configuration commands.
- If you allow and deny the same commands, the allow-commands permissions take precedence over the permissions specified by the deny-commands. For example, if you include allow-commands "request system software add" and deny-commands "request system software add", the login class user is allowed to install software using the request system software add command.
- Regular expressions for allow-commands and deny-commands can also include the commit, load, rollback, save, status, and update commands.
- If you specify a regular expression for allow-commands and deny-commands with two different variants of a command,
the longest match is always executed.
For example, if you specify a regular expression for allow-commands with the commit-synchronize command and a regular expression for deny-commands with the commit command, users assigned to such a login class would be able to issue the commit synchronize command, but not the commit command. This is because commit-synchronize is the longest match between commit and commit-synchronize and it is specified for allow-commands.
Likewise, if you specify a regular expression for allow-commands with the commit command and a regular expression for deny-commands with the commit-synchronize command, users assigned to such a login class would be able to issue the commit command, but not the commit-synchronize command. This is because commit-synchronize is the longest match between commit and commit-synchronize and it is specified for deny-commands.
Related Documentation
- EX, J, M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- Configuring Access Privilege Levels
Published: 2014-07-23
Supported Platforms
Related Documentation
- EX, J, M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- Configuring Access Privilege Levels