Example: Specifying Access Privileges Using allow/deny-configuration-regexps Statements
This example shows how to set up configuration access privileges using the allow-configuration-regexps and deny-configuration-regexps statements.
Requirements
This example uses the following hardware and software components:
- One Juniper Networks J Series, M Series, MX Series, or T Series device
- Junos OS Release 11.2 or later
- There must be at least one user assigned to a login class.
- There can be more than one login class, each with varying permission configurations, and more than one user on the device.
Overview
The allow-configuration-regexps and deny-configuration-regexps statements let you explicitly allow or deny users assigned to named user classes access privileges to portions of the configuration hierarchy, giving the system administrator precision control over who can change specific configurations in the system.
 | Note: The statements allow-configuration-regexps and deny-configuration-regexps perform similar functions as the statements allow-configuration and deny-configuration, except you can configure sets of strings in which the strings include spaces when using the first set of statements. You cannot use the two kinds of statements together. |
Configuration
Step-by-Step Procedure
To set up configuration access privileges:
- To explicitly allow one or more individual
configuration mode hierarchies that would otherwise be denied, include
the allow-configuration-regexps statement at the [edit system login class class-name] hierarchy
level, configured with the regular expressions to be allowed.[edit system login class class-name]user@host# set allow-configuration-regexps "regular expression 1" "regular expression 2" "regular expression 3" "regular expression 4" ...
- To explicitly deny one or more individual
configuration hierarchies that would otherwise be allowed, include
the deny-configuration-regexps statement at the [edit system login class class-name] hierarchy
level, configured with the regular expressions to be denied.[edit system login class class-name]user@host# set deny-configuration-regexps "regular expression 1" "regular-expression 2" "regular expression 3" "regular expression 4"...
- Assign the login class to one or more users.[edit system login]user@host# set user username class class-name
- Commit your changes.
Users assigned this login class have the permissions you have set for the class.
Examples
Using Allow or Deny Configurations with Regular Expressions
Purpose
This section provides examples of access privilege configurations to give you ideas for creating configurations appropriate for your system. You can use combinations of privilege statements for configuration access and for operational mode commands to give precise control over classes of access privileges.
Allow Configuration Changes
The following example login class lets the user make changes at the [edit system services] hierarchy level and issue configuration mode commands (such as commit), in addition to the permissions specified by the configure permissions flag, which allows the user to enter configuration mode using the configure command.
Deny Configuration Changes
The following example login class lets the user perform all operations allowed by the all permissions flag. However, it denies modifying the configuration at the [edit system services] hierarchy level.
If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot configure telnet parameters:
If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot issue login class commands within any login class whose name begins with “m”:
If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot edit the configuration or issue commands (such as commit) at the [edit system login class] or the [edit system services] hierarchy levels:
Allow and Deny Configuration Changes
The following example login class lets the user perform all operations allowed by the all permissions flag, and explicitly grants configuration access to [system "interfaces .* unit .* family inet address .*" protocols]. However, the user is denied configuration access to the SNMP hierarchy level.
| Note: You can use the * wildcard character when denoting regular expressions. However, it must be used as a portion of a regular expression. You cannot use [ * ] or [ .* ] alone. |
Allow and Deny Multiple Configuration Changes
The following example login class lets the user perform all operations allowed by the all permissions flag, and explicitly grants configuration access to multiple hierarchy levels for interfaces. It denies configuration access to the [edit system] and [edit protocols] hierarchy levels.
| Note: You can configure as many regular expressions as needed to be allowed or denied. Regular expressions to be denied take precedence over configurations to be allowed. |
Allow Configuration Changes and Deny Operations Commands
You can combine allow and deny configuration statements with allow and deny operational commands statements to fine-tune access privileges. The following example login class uses a combination of the deny-commands operational permissions statement and the allow-configuration-regexps configuration permissions statement to let the user configure and commit changes to the OSPF and BGP protocols. However, this class of user cannot issue the show system statistics or the show bgp summary commands.
The following shows permissions set for individual configuration mode hierarchies:
Verification
To verify that you have set the access privileges correctly:
- Configure a login class and commit the changes.
- Assign the login class to a username.
- Log in as the username assigned with the new login class.
- Attempt to perform the configurations that have been allowed
or denied.
- You should be able to perform configuration changes to hierarchy levels and regular expressions that have been allowed.
- You should not be able to perform configuration changes to hierarchy levels and regular expressions that have been denied.
- Denied expressions should take precedence over allowed expressions.
- Any allowed or denied expressions should take precedence over any permissions granted with the permissions statement.
