Configuring Login Classes
Before you configure a login class:
- Review the predefined login classes to determine whether you can use one of these classes rather than creating a new one.
- Make sure you are familiar with how to use regular expressions to specify which commands and configuration statements to allow or deny.
Consider that you can issue one
allow
statement and onedeny
statement for operation mode commands, and oneallow
statement and onedeny
statement for configuration mode commands. Use regular expressions in a statement to specify more than one command in a statement.See Specifying Regular Expressions for Allow and Deny Statements on page 65.
Configuration Statements for Login Classes
Use the following configuration statements to configure login classes at the
[edit]
hierarchy level:system login class name {allow-commands allow-commands;allow-configuration allow-configuration;deny-commands deny-commands;deny-configuration deny-configuration;idle-timeout idle-timeout;permissions[(admin | admin-control | all | clear | configure | control | field | firewall | firewall-control | interface | interface-control | maintenance | network | reset | routing | routing-control | secret | secret-control security | security-control | shell | snmp | snmp-control | system | system-control | view | view-configuration | service | service-control | subscriber | subscriber-control)...]; }Configuring a Login Class
- From configuration mode, access the configuration statement that configures login classes, and assign a name to the login class.
[edit]user@host#edit system login class
name
- Specify the permissions for the login class.
[edit system login classname
]user@host#set permissions
permissions
For example, the following statement specifies that the user-account class can configure and view only user accounts:
[edit system login class user-accounts]user@host# set permissions [configure admin admin-control]The following statement specifies that the network-mgmt class can configure and view only SNMP parameters:
[edit system login class network-mgmt]user@host# set permissions [configure snmp snmp-control]
- (Optional) Configure access to specified operational mode commands that would otherwise be denied,
[edit system login classname
]user@host# set allow-commands allow-commandsFor example, the following statement specifies that the network-mgmt class can install system software:
[edit system login class network-mgmt]user@host#set allow-commands "request system install
"
- (Optional) Deny access to specified operational mode commands that would otherwise be allowed.
[edit system login classclass-name
]user@host#set
deny-commands deny-commandsFor example, the following statement specifies that the remote class cannot connect to the SRC software through Telnet:
[edit system login class remote]user@host#set deny-commands
telnet
- (Optional) Configure access to specified configuration mode commands that would otherwise be denied,
[edit system login classname
]user@host#set
allow-configuration allow-configurationFor example, the following statement specifies that the network-mgmt class can issue configuration mode commands at the
[routing-options]
hierarchy level:[edit system login class network-mgmt]user@host#set allow-configuration "routing options"
- (Optional) Deny access to specified configuration mode commands that would otherwise be allowed.
[edit system login classname
]user@host#set
deny-configuration deny-configurationFor example, the following statement specifies that the network-mgmt class does not have access to the
[snmp address]
hierarchy level:[edit system login class network-mgmt]user@host#set deny-configuration "snmp address"
- Specify the number of minutes that a session can be idle before it is automatically closed.
[edit system login class class-name]user@host#set idle-timeout
minutes
- Display the results of the configuration.
[edit system login]user@host#show
class network-mgmt {allow-commands "request system install";allow-configuration routing-options;deny-configuration "snmp address";}class remote {deny-configuration "system services telnet";permissions all;}Examples: Configuring Access Privileges for Operational Mode Commands
The following example allows access to the
request system reboot
command for the login class operator-and-boot that has operator privileges defined by the clear, network, reset, and view permissions.[edit system login class operator-and-boot]user@host#set permissions [ clear network reset view ]
user@host#set allow-commands "request system reboot"
The following example denies access to
set
commands for the login class operator-no-set that has operator privileges defined by the clear, network, reset, and view permissions.[edit system login class operator-no-set]user@host#set permissions [ clear network reset view ]
user@host#set deny-commands "set"
The following example allows software installation but denies access to the
show nic
command for the login class operator-no-set that has operator privileges defined by the clear, network, reset, and view permissions.[edit system login class operator-and-install-no-nic]user@host#set permissions [ clear network reset view ]
user@host#set allow-commands "request system install
"user@host#set deny-commands "show nic"
Examples: Defining Access Privileges for Configuration Mode Commands
The following example does not allow access the C-series platform through a Telnet session for the login class remote that has permission set to
all
:[edit system login class remote]user@host#set permissions all
user@host#set deny-configuration "system services telnet"
The following example does not allow access to any login class whose name begins with "m" for the login class local that has permission set to
all
:[edit system login class local]user@host#set permissions all
user@host#set deny-configuration "system login class m.*"
The following example does not allow access to configuration mode commands at the [
system login class]
or [system services hierarchy]
levels for the login class config-admin that has permission set toall
:[edit system login class config-admin]user@host#set permissions all
user@host#set deny-configuration "(system login class) | (system services)"