[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Login Classes

Before you configure a login class:

See Predefined Login Classes.

Consider that you can issue one allow statement and one deny statement for operation mode commands, and one allow statement and one deny statement for configuration mode commands. Use regular expressions in a statement to specify more than one command in a statement.

See Specifying Regular Expressions for Allow and Deny Statements on page 65.

Configuration Statements for Login Classes

Use the following configuration statements to configure login classes at the [edit] hierarchy level:

system login class name {
    allow-commands allow-commands; 
    allow-configuration allow-configuration;
    deny-commands deny-commands; 
    deny-configuration deny-configuration; 
    idle-timeout idle-timeout; 
    permissions
[(admin | admin-control | all | clear | configure | control | field | firewall | 
firewall-control | interface | interface-control | maintenance | network | reset | 
routing | routing-control | secret | secret-control security | security-control | 
shell | snmp | snmp-control | system | system-control | view | view-configuration 
| service | service-control | subscriber | subscriber-control)...]; 

}


Configuring a Login Class

To configure a login class:

  1. From configuration mode, access the configuration statement that configures login classes, and assign a name to the login class.
  2. [edit]
    
    user@host# edit system login class name
    
    
    
  3. Specify the permissions for the login class.
  4. [edit system login class name]
    
    user@host# set permissions permissions
    
    
    

For example, the following statement specifies that the user-account class can configure and view only user accounts:

[edit system login class user-accounts]
user@host# set permissions [configure admin admin-control] 

The following statement specifies that the network-mgmt class can configure and view only SNMP parameters:

[edit system login class network-mgmt]
user@host# set permissions [configure snmp snmp-control] 

  1. (Optional) Configure access to specified operational mode commands that would otherwise be denied,
  2. [edit system login class name]
    
    user@host# set allow-commands allow-commands
    
    
    

For example, the following statement specifies that the network-mgmt class can install system software:

[edit system login class network-mgmt]
user@host# set allow-commands "request system install"

  1. (Optional) Deny access to specified operational mode commands that would otherwise be allowed.
  2. [edit system login class class-name]
    
    user@host# set deny-commands deny-commands 
    
    
    

For example, the following statement specifies that the remote class cannot connect to the SRC software through Telnet:

[edit system login class remote]
user@host# set deny-commands telnet 

  1. (Optional) Configure access to specified configuration mode commands that would otherwise be denied,
  2. [edit system login class name]
    
    user@host# set allow-configuration allow-configuration
    
    
    

For example, the following statement specifies that the network-mgmt class can issue configuration mode commands at the [routing-options] hierarchy level:

[edit system login class network-mgmt]
user@host# set allow-configuration "routing options"

  1. (Optional) Deny access to specified configuration mode commands that would otherwise be allowed.
  2. [edit system login class name]
    
    user@host# set deny-configuration deny-configuration 
    

For example, the following statement specifies that the network-mgmt class does not have access to the [snmp address] hierarchy level:

[edit system login class network-mgmt]
user@host# set deny-configuration "snmp address"

  1. Specify the number of minutes that a session can be idle before it is automatically closed.
  2. [edit system login class class-name]
    
    user@host# set idle-timeout minutes 
    
    
    
  3. Display the results of the configuration.
  4. [edit system login]
    
    user@host# show
    
    
    
    class network-mgmt {
    
      allow-commands "request system install";
    
      allow-configuration routing-options;
    
    deny-configuration "snmp address";
    
    }
    
    class remote {
    
      deny-configuration "system services telnet";
    
      permissions all;
    
    }
    
    
    

Examples: Configuring Access Privileges for Operational Mode Commands

The following example allows access to the request system reboot command for the login class operator-and-boot that has operator privileges defined by the clear, network, reset, and view permissions.

[edit system login class operator-and-boot] 
user@host# set permissions [ clear network reset view ]
user@host# set allow-commands "request system reboot"

The following example denies access to set commands for the login class operator-no-set that has operator privileges defined by the clear, network, reset, and view permissions.

[edit system login class operator-no-set] 
user@host# set permissions [ clear network reset view ]
user@host# set deny-commands "set"

The following example allows software installation but denies access to the show nic command for the login class operator-no-set that has operator privileges defined by the clear, network, reset, and view permissions.

[edit system login class operator-and-install-no-nic]
user@host# set permissions [ clear network reset view ]
user@host# set allow-commands "request system install"
user@host# set deny-commands "show nic"

Examples: Defining Access Privileges for Configuration Mode Commands

The following example does not allow access the C-series platform through a Telnet session for the login class remote that has permission set to all:

[edit system login class remote]
user@host# set permissions all
user@host# set deny-configuration "system services telnet"

The following example does not allow access to any login class whose name begins with "m" for the login class local that has permission set to all:

[edit system login class local]
user@host# set permissions all
user@host# set deny-configuration "system login class m.*" 

The following example does not allow access to configuration mode commands at the [system login class] or [system services hierarchy] levels for the login class config-admin that has permission set to all:

[edit system login class config-admin]
user@host# set permissions all
user@host# set deny-configuration "(system login class) | (system services)"


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]