Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Our new, consolidated Junos CLI Reference is now available.

close
external-header-nav
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
keyboard_arrow_right

Login Classes Overview

date_range 30-Jul-24

Junos OS Evolved login classes define the access privileges, permissions for using CLI commands and statements, and session idle time for the users assigned to that class. You (the system administrator) can apply a login class to an individual user account, thereby assigning certain privileges and permissions to the user.

Login Classes Overview

All users who can log in to a device running Junos OS Evolved must be in a login class. Each login class defines the following:

  • Access privileges that users have when they log in to the network device

  • Commands that users can and cannot execute

  • Configuration statements that users can and cannot view or modify

  • Amount of time a login session can be idle before the system disconnects the user

You can define any number of login classes. However, you only assign one login class to an individual user account.

Junos OS Evolved includes predefined login classes, which are listed in Table 1. You cannot modify the predefined login classes.

Table 1: Predefined System Login Classes

Login Class

Permission Flag Set

operator

clear, network, reset, trace, and view

read-only

view

superuser or super-user

all

unauthorized

None

SFTP and SCP server functionality is disabled when using the operator or read-only predefined login classes.

Starting in Junos OS Evolved Release 23.4R2, the superuser login class cannot write to the /var/log/ directory. Only the root user can write into /var/log/.

Permission Bits

Each top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. Each login class defines one or more permission bits that determine the access privileges.

Two forms for the permissions control whether a user can view or modify the individual parts of the configuration:

  • "Plain" form—Provides read-only capability for that permission type. An example is interface.

  • -control form—Provides read and write capability for that permission type. An example is interface-control.

Table 2 outlines the permission flags and associated access privileges.

Table 2: Login Class Permission Flags

Permission Flag

Description

access

Can view the access configuration in operational mode or configuration mode.

access-control

Can view and configure access information at the [edit access] hierarchy level.

admin

Can view user account information in operational mode or configuration mode.

admin-control

Can view user account information and configure it at the [edit system] hierarchy level.

all

Can access all operational mode commands and configuration mode commands. Can modify the configuration in all the configuration hierarchy levels.

clear

Can clear (delete) information that the device learns from the network and stores in various network databases (using the clear commands).

configure

Can enter configuration mode (using the configure command) and commit configurations (using the commit command).

control

Can perform all control-level operations—all operations configured with the -control permission flags.

field

Can view field debug commands. Reserved for debugging support.

firewall

Can view the firewall filter configuration in operational mode or configuration mode.

firewall-control

Can view and configure firewall filter information at the [edit firewall] hierarchy level.

floppy

Can read from and write to the removable media.

flow-tap

Can view the flow-tap configuration in operational mode or configuration mode.

flow-tap-control

Can view and configure flow-tap information at the [edit services flow-tap] hierarchy level.

flow-tap-operation

Can make flow-tap requests to the router or switch. For example, a Dynamic Tasking Control Protocol (DTCP) client must have flow-tap-operation permission to authenticate itself to Junos OS Evolved as an administrative user.

Note:

The flow-tap-operation option is not included in the all-control permissions flag.

idp-profiler-operation

Can view profiler data.

interface

Can view the interface configuration in operational mode and configuration mode.

interface-control

Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information. Can modify the configuration at the following hierarchy levels:

  • [edit chassis]

  • [edit class-of-service]

  • [edit groups]

  • [edit forwarding-options]

  • [edit interfaces]

maintenance

Can perform system maintenance, including starting a local shell on the device and becoming the superuser in the shell (using the su root command) and halting and rebooting the device (using the request system commands).

network

Can access the network by using the ping, ssh, telnet, and traceroute commands.

pgcp-session-mirroring

Can view the pgcp session mirroring configuration.

pgcp-session-mirroring-control

Can modify the pgcp session mirroring configuration.

reset

Can restart software processes by using the restart command.

rollback

Can use the rollback command to return to a previously committed configuration.

routing

Can view general routing, routing protocol, and routing policy configuration information in configuration mode and operational mode.

routing-control

Can view and configure general routing at the [edit routing-options] hierarchy level, routing protocols at the [edit protocols] hierarchy level, and routing policy information at the [edit policy-options] hierarchy level.

secret

Can view passwords and other authentication keys in the configuration.

secret-control

Can view and modify passwords and other authentication keys in the configuration.

security

Can view security configuration information in operational mode and configuration mode.

security-control

Can view and configure security information at the [edit security] hierarchy level.

shell

Can start a local shell on the router or switch by using the start shell command, and can become the root user in the shell by using the start shell user root command.

snmp

Can view Simple Network Management Protocol (SNMP) configuration information in operational mode or configuration mode.

snmp-control

Can view and modify SNMP configuration information at the [edit snmp] hierarchy level.

storage

Can view Fiber Channel storage configuration information at the [edit fc-fabrics] hierarchy level.

storage-control

Can modify Fiber Channel storage configuration information at the [edit fc-fabrics] hierarchy level.

system

Can view system-level information in operational mode or configuration mode.

system-control

Can view and modify system-level configuration information at the [edit system] hierarchy level.

trace

Can view trace file settings and configure trace file properties.

trace-control

Can modify trace file settings and configure trace file properties.

unified-edge

Can view unified edge configuration at the [edit unified-edge] hierarchy.

unified-edge

Can modify unified edge related configuration at the [edit unified-edge] hierarchy.

view

Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration.

view-configuration

Can view all of the configuration excluding secrets, system scripts, and event options.

Note:

Only users with the maintenance permission can view commit script, op script, or event script configuration.

Deny or Allow Individual Commands and Statement Hierarchies

By default, all top-level CLI commands and statements have associated access privilege levels. Users can execute only those commands and view and configure only those statements for which they have access privileges. For each login class, you can explicitly deny or allow users the use of operational mode commands and configuration mode commands and configuration statement hierarchies that are otherwise allowed or denied by a permission bit.

Example: Create Login Classes with Specific Privileges

You define login classes to assign certain permissions or restrictions to groups of users, ensuring that sensitive commands are only accessible to the appropriate users. By default, Juniper Networks devices have four types of login classes with preset permissions: operator, read-only, superuser or super-user, and unauthorized.

You can create custom login classes to define different combinations of permissions that are not found in the default login classes. The following example shows three custom login classes, each with specific privileges and inactivity timers. Inactivity timers help protect network security by disconnecting a user from the network if the user is inactive for too long. Disconnecting the user prevents potential security risks that result when a user leaves an unattended account logged in to a switch or router. The permissions and inactivity timers shown here are only examples; you should customize the values to your organization.

The three login classes and their privileges are as follows. All three login classes use the same inactivity timer of 5 minutes.

  • observation—Can only view statistics and the configuration
  • operation—Can view and modify the configuration
  • engineering—Unlimited access and control
content_copy zoom_out_map
[edit]
system {
    login {
        class observation {
            idle-timeout 5;
            permissions [ view ];
        }
        class operation {
            idle-timeout 5;
            permissions [ admin clear configure interface interface-control network
            reset routing routing-control snmp snmp-control trace-control 
            firewall-control rollback ];
        }
        class engineering {
            idle-timeout 5;
            permissions all;
        }
    }
}

Understanding Exact Match Access Privileges for Login Classes

Exact match access privileges let you explicitly allow or deny exact configuration strings to define access control rules for login classes. Starting in Junos OS and Junos OS Evolved Release 23.4R1, you can use the allow-configuration-exact-match and deny-configuration-exact-match configuration statements to control exact match access privileges.

Benefits

  • Restrict deletion of upper level configuration hierarchies while permitting deletion of specific sub-hierarchies. This supports more targeted command authorization.

  • Ensure set commands remain permitted on a hierarchy even if deletion is denied. This separation of authorization for set and delete enables more flexible access controls.

  • Allow or deny precise configuration command strings, in addition to regular expressions. This supports configuring highly specific access rules when needed.

  • Leverage advanced authorization rules from external TACACS+ servers, in addition to local rules. This facilitates centralized policy management.

You can configure exact match access privileges with the allow-configuration-exact-match and deny-configuration-exact-match configuration statements at the [edit system login class name] hierarchy level. Use hierarchy strings starting with one of the following operators:

  • set
  • delete
  • active
  • deactivate

Wildcard characters are also supported. For example, the deny-configuration-exact-match delete interfaces* statement uses the * wildcard character to specify all interfaces.

If delete or deactivate is denied for a given configuration hierarchy, then set or activate commands can still be allowed by using allow-configuration-exact-match. If you configure both allow-configuration-exact-match and deny-configuration-exact-match with the same operator and configuration, then configuration access will be denied.

The new exact match rules can be configured locally or on external TACACS+ servers.

external-footer-nav