Supported Platforms
Related Documentation
- EX, J, M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- Defining Access Privileges Using allow/deny-configuration Statements
- Configuring Access Privilege Levels
Specifying Access Privileges for Junos OS Configuration Mode Hierarchies
You can specify extended regular expressions with the allow-configuration and deny-configuration statements to define user access privileges to parts of the configuration hierarchy. Doing so overrides login class permission bits set for a user. You can also use wildcards to restrict access. When you define access privileges to parts of the configuration hierarchy, do the following tasks:
- Specify the full paths in the extended regular expressions with the allow-configuration and deny-configuration statements.
- Put parentheses around an extended regular expression
that connects two or more expressions with the pipe | symbol. For
example: [edit system login class class-name]user@switch# set deny-configuration "(system login class) | (system services)"
Note: Each expression separated by a pipe (|) symbol must be a complete standalone expression, and must be enclosed in parentheses ( ). Do not use spaces between regular expressions separated with parentheses and connected with the pipe (|) symbol. You cannot define access to keywords such as set, edit, or activate.
When you explicitly provide access to configuration mode hierarchies or regular expressions using the allow-configuration statement, you add to the regular permissions set with the permissions statement. If you explicitly deny access to configuration mode hierarchies or regular expressions using the deny-configuration statement, you remove permissions for the specified configuration mode hierarchy from the default permissions provided by the permissions statement.
To explicitly provide access to an individual configuration mode hierarchy that would otherwise be denied, include the allow-configuration statement at the [edit system login class class-name] hierarchy level:
To explicitly deny access to an individual configuration hierarchy that would otherwise be supported, include the deny-configuration statement at the [edit system login class class-name] hierarchy level:
You can include one deny-configuration and one allow-configuration statement in each login class.
If you allow and deny the same set of configuration hierarchy levels, regular expressions, or commands, the allow-configuration statement permissions take precedence over the permissions specified by the deny-configuration statement. For example, if you include allow-configuration “system services” and deny-configuration “system services”, the login class user can continue to edit the configuration or issue commands at the edit system services hierarchy level.
Related Documentation
- EX, J, M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- Defining Access Privileges Using allow/deny-configuration Statements
- Configuring Access Privilege Levels
Published: 2014-07-23
Supported Platforms
Related Documentation
- EX, J, M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- Defining Access Privileges Using allow/deny-configuration Statements
- Configuring Access Privilege Levels
