Rate and give feedback:
Feedback Received. Thank You!
Specifying Access Privileges Using allow/deny-configuration
Statements
You can specify extended regular expressions by
using the allow-configuration and deny-configuration statements to define user access privileges to parts of the configuration
hierarchy. Doing so overrides login class permission bits set for
a user. You can also use wildcards to restrict access. When you define
access privileges to parts of the configuration hierarchy, do the
following:
- Specify the full paths in the extended regular expressions
with the allow-configuration and deny-configuration statements.
- Use parentheses around an extended regular expression
that connects two or more expressions with the pipe | symbol. For
example:
[edit system login class class-name]user@host# set deny-configuration "(system login class) | (system services)"
 | Note:
Each expression separated by a pipe (|) symbol
must be a complete standalone expression, and must be enclosed in
parentheses ( ). Do not use spaces between regular expressions separated
with parentheses and connected with the pipe (|) symbol. You cannot
define access to keywords such as set, edit,
or activate. |
To explicitly allow an individual configuration
mode hierarchy that would otherwise be denied, include the allow-configuration statement at the [edit system login class class-name] hierarchy level:
To explicitly deny an individual configuration
hierarchy that would otherwise be allowed, include the deny-configuration statement at the [edit system login class class-name] hierarchy level:
You can include one deny-configuration and one allow-configuration statement in each login class.
| - Explicitly allowing configuration mode hierarchies or
regular expressions using the allow-configuration statement
adds to the regular permissions set using the permissions statement. Likewise, explicitly denying configuration mode hierarchies
or regular expressions using the deny-configuration statement
removes permissions for the specified configuration mode hierarchy,
from the default permissions provided by the permissions statement.
For example, if a login class has permissions configure and the allow-configuration statement includes the system services expression, the specified login class user
can edit the configuration at the [edit system services] hierarchy level and issue configuration mode commands (such as commit), in addition to just entering the configuration mode
using the configure command (the permissions specified
by the configure permission flag). Likewise, if a login
class has permissions all and the deny-configuration statement includes system services, the specified login
class user can perform all operations allowed by the all permissions flag, except issuing configuration mode commands (such
as commit) or modifying the configuration at the [edit system services] hierarchy level. - If you allow and deny the same set of configuration hierarchy
levels, regular expressions, or commands, the allow-configuration statement permissions take precedence over the permissions specified
by the deny-configuration statement. For example, if you
include allow-configuration "system services"; and deny-configuration "system services";, the login class user
can continue to edit the configuration or issue commands at the [edit system services] hierarchy level.
|
Published: 2012-11-15
