Access to Individual Commands and Configuration Statements
By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can deny or allow the use of specified operational and configuration mode commands that would otherwise be permitted or not allowed by a specified privilege level.
Regular Expressions for Allow and Deny Statements
You can use extended regular expressions to specify which commands to allow or deny. By using extended regular expressions, you can list a number of commands in each statement.
You specify these regular expressions in the following statements at the
[edit system login class]
hierarchy level:Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 8 lists common regular expression operators.
Guidelines for Using Regular Expressions
Keep in mind the following considerations when using regular expressions to specify which statements or commands to allow or deny:
- Regular expressions are not case-sensitive.
- If a regular expression contains a syntax error, authentication fails and the user cannot log in.
- If a regular expression does not contain any operators, all varieties of the command are allowed.
Follow these guidelines when using regular expressions:
- An extended regular expression that connects two or more terms with the pipe (|) symbol. For example:
[edit system login classclass-name
]user@host#set deny-configuration "(system login class) | (system services)"
- Do not use spaces between regular expressions separated with parentheses and connected with the pipe (|) symbol.
- Specify the full paths in the extended regular expressions with the
allow-configuration
anddeny-configuration
options.
NOTE: You cannot define access to keywords such as
set
oredit
.
Timeout Value for Idle Login Sessions
An idle login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard. By default, a login session remains established until a user logs out of the system, even if that session is idle. To close idle sessions automatically, you configure a time limit for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes.
For users who belong to a login class for which an idle timeout is configured, the CLI displays messages similar to the following when idle user session times out.
user@host# Session will be closed in 5 minutes if there is no activity.Warning: session will be closed in 1 minute if there is no activityWarning: session will be closed in 10 seconds if there is no activityIdle timeout exceeded: closing sessionIf you configure a timeout value, the session closes after the specified time has elapsed, except if the user is running commands such as
ssh
,start shell
, ortelnet
.