Rate and give feedback:
Feedback Received. Thank You!
Specifying Access Privileges Using allow/deny-configuration
Statements
You can specify extended regular expressions by
using the allow-configuration and deny-configuration statements to define user access privileges to parts of the configuration hierarchy.
Doing so overrides login class permission bits set for a user. You
can also use wildcards to restrict access. When you define access
privileges to parts of the configuration hierarchy, do the following:
- Specify the full paths in the extended regular expressions
with the allow-configuration and deny-configuration statements.
- Use parentheses
around an extended regular expression that connects two or more expressions
with the pipe | symbol. For example:
[edit system login class class-name]user@host# set deny-configuration "(system login class) | (system services)"
 | Note:
Each expression separated by a pipe (|) symbol
must be a complete standalone expression, and must be enclosed in
parentheses ( ). Do not use spaces between regular expressions separated
with parentheses and connected with the pipe (|) symbol. You cannot
define access to keywords such as set, edit, or activate. |
To explicitly allow an individual configuration
mode hierarchy that would otherwise be denied, include the allow-configuration statement at the [edit system login class class-name] hierarchy level:
To explicitly deny an individual configuration
hierarchy that would otherwise be allowed, include the deny-configuration statement at the [edit system login class class-name] hierarchy level:
You can include one deny-configuration and one allow-configuration statement in each login class.
| - Explicitly allowing configuration mode hierarchies or
regular expressions using the allow-configuration statement
adds to the regular permissions set using the permissions statement. Likewise, explicitly denying configuration mode hierarchies
or regular expressions using the deny-configuration statement
removes permissions for the specified configuration mode hierarchy,
from the default permissions provided by the permissions statement.
For example, if a login class has permissions configure and the allow-configuration statement includes the system services expression, the specified login class user can
edit the configuration
at the [edit system services] hierarchy level and issue configuration
mode commands (such as commit), in addition to just entering
the configuration mode using the configure command (the permissions
specified by the configure permission flag). Likewise, if
a login class has permissions all and the deny-configuration statement includes system services, the specified login
class user can perform all operations allowed by the all permissions
flag, except issuing configuration mode commands (such as commit) or modifying the configuration at the [edit system services] hierarchy level. - If you allow and deny the same set of configuration hierarchy
levels, regular expressions, or commands, the allow-configuration statement permissions take precedence over the permissions specified
by the deny-configuration statement. For example, if you
include allow-configuration "system services"; and deny-configuration "system services";, the login class user can continue to edit the configuration or issue
commands at the [edit system services] hierarchy level.
|
Published: 2012-07-03
