Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring User Permissions with Access Privileges for Operational Mode Commands

Each operational mode command has an access privilege level associated with it. Access privileges control the commands that each custom login class can execute, configure, and view. Custom login classes are groups of users who are assigned with customized levels of access to different commands and statements. This ensures that each group of users can only use commands appropriate to their function, preventing unauthorized users from executing sensitive commands that could potentially cause damage to the network.

In this example, you create three custom login classes on the router or switch and assign access privileges for operational mode commands through the allow-commands and deny-commands settings. Each custom login class uses the same set of permission flags as the default login class operator, but the login class is allowed or denied certain operational mode commands. The first custom login class is called operator-and-boot and it has access to the request system reboot operational mode command. The second custom login class is called operator-no-set and it is denied access to any set commands. The third login class is called operator-and-install-but-no-bgp and it has access to the request system software add and show route operational mode commands, but it is denied access to the show bgp command.

[edit]
system {login {class operator-and-boot {permissions [ clear network reset trace view ];allow-commands "request system reboot";}class operator-no-set {permissions [ clear network reset trace view ];deny-commands "set";}class operator-and-install-but-no-bgp {permissions [ clear network reset trace view ];allow-commands "(request system software add)|(show route$)";deny-commands "show bgp";}}}
  1. Create the operator-and-boot custom login class, give it operator level permission flags, and authorize it to use the request system reboot command.
    [edit system login]user@router# set class operator-and-boot permissions clear network reset trace view user@router# set class operator-and-boot allow-commands request system reboot
  2. Create the operator-no-set custom login class, give it operator level permission flags, and deny it access to the set command.
    [edit system login]user@router# set class operator-no-set clear network reset trace view user@router# set class operator-no-set deny-commands set
  3. Create the operator-and-install-but-no-bgp custom login class, give it operator level permission flags, authorize it to use the request system software add and show route commands, and deny it access to the show bgp command.
    [edit system login]user@router# set class operator-and-install-but-no-bgp clear network reset trace view user@router# set class operator-and-install-but-no-bgp request system software add show routeuser@router# set class operator-and-install-but-no-bgp show bgp
  4. Check your configuration by using the show system login command.
    user@router# show system login
    class operator-and-boot {permissions [ clear network reset trace view ];allow-commands "request system reboot";}
    class operator-no-set {permissions [ clear network reset trace view ];deny-commands "set";}
    class operator-and-install-but-no-bgp {permissions [ clear network reset trace view ];allow-commands "(request system software add)|(show route$)";deny-commands "show bgp";}
 

Related Documentation

 

Modified: 2017-08-31

Previous Page Next Page