Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Defining Access Privileges Using allow/deny-configuration Statements

The following examples show how to configure access privileges for individual configuration mode hierarchy levels.

If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot configure telnet parameters:

[edit system login class class-name]user@switch# set deny-configuration "system services telnet"

If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot issue login class commands within any login class whose name begins with “m”:

[edit system login class class-name]user@switch# set deny-configuration "system login class m.*"

If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot edit a configuration or issue commands (such as commit) at the login class or system services hierarchy levels:

[edit system login class class-name]user@switch# set deny-configuration "(system login class) | (system services)"

The following example shows how to configure permissions for individual configuration mode hierarchies:

[edit]
system {login { # This login class has operator privileges and the additional ability to edit # configuration at the system services hierarchy level.class only-system-services {permissions [ configure ];allow-configuration "system services";}# services commands.class all-except-system-services { # This login class has operator privileges but # cannot edit any system services configuration.permissions [ all ];deny-configuration "system services";}}}
 

Related Documentation

 

Published: 2013-01-23

Previous Page Next Page