Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Specifying Access Privileges for Junos OS Operational Mode Commands

You can specify extended regular expressions by using the allow-commands and deny-commands statements to define a user’s access privileges to individual operational mode commands. Doing so takes precedence over a login class permissions bit set for a user. You can include one deny-commands and one allow-commands statement in each login class.

To explicitly provide use of an individual operational mode command that would otherwise be denied, include the allow-commands statement at the [edit system login class class-name] hierarchy level:

To explicitly deny access to an individual operational mode command that would otherwise be supported, include the deny-commands statement at the [edit system login class class-name] hierarchy level:

If the regular expression contains any spaces, operators, or wildcard characters, enclose the expression in quotation marks. Regular expressions are not case-sensitive.

Note: Modifiers are not supported within the regular expression string to be matched. If a modifier is used, then nothing is matched. For example, the deny command set protocols does not match anything, whereas protocols matches protocols.

Explicitly providing access to operational mode commands using the allow-commands statement adds to the regular permissions set using the permissions statement. Likewise, explicitly denying access to operational mode commands using the deny-commands statement removes permissions for the specified commands from the default permissions provided by the permissions statement.

For example, if a login class has the permission view and the allow-commands statement includes the request system software add command, the specified login class user can install software, in addition to the permissions specified by the view permissions flag. Likewise, if a login class has the permission all and the deny-commands statement includes the request system software add command, the specified login class user can perform all operations allowed by the all permissions flag, except installing software using the request system software add command.

If you allow and deny the same commands, the allow-commands permissions take precedence over the permissions specified by deny-commands. For example, if you include allow-commands "request system software add" and deny-commands "request system software add", the login class user is allowed to install software using the request system software add command.

If you specify a regular expression for allow-commands and deny-commands with two different variants of a command, the longest match is always executed.

For example, if you specify a regular expression for allow-commands with the commit-synchronize command and a regular expression for deny-commands with the commit command, users assigned to such a login class would be able to issue the commit synchronize command, but not the commit command. This is because commit-synchronize is the longest match between commit and commit-synchronize, and it is specified for allow-commands.

Likewise, if you specify a regular expression for allow-commands with the commit command and a regular expression for deny-commands with the commit-synchronize command, users assigned to such a login class would be able to issue the commit command, but not the commit-synchronize command. This is because commit-synchronize is the longest match between commit and commit-synchronize, and it is specified for deny-commands.

Anchors are required when specifying complex regular expressions with allow-commands or deny-commands statements. For example, when specifying multiple commands using the pipe (|) symbol for allow-commands, the following syntax is incorrect: allow-commands = "(monitor.*)|(ping.*)|(show.*)|(exit)" . Instead, you must specify the expression using the following syntax: allow-commands = "(^monitor) | (^ping) | (^show) | (^exit)" OR allow-commands ="^(monitor | ping | show | exit)"