Login Classes Overview

Junos OS login classes define the access privileges, permissions for using CLI commands and statements, and session idle time for the users assigned to that class. You (the system administrator) can apply a login class to an individual user account, thereby assigning certain privileges and permissions to the user.

Login Classes Overview

All users who can log in to a device running Junos OS must be in a login class. Each login class defines the following:

Access privileges that users have when they log in to the network device
Commands that users can and cannot execute
Configuration statements that users can and cannot view or modify
Amount of time a login session can be idle before the system disconnects the user

You can define any number of login classes. However, you only assign one login class to an individual user account.

Junos OS includes predefined login classes, which are listed in Table 1. You cannot modify the predefined login classes.

Table 1: Predefined System Login Classes
Login Class	Permission Flag Set
`operator`	clear, network, reset, trace, and view
`read-only`	view
`superuser` or `super-user`	all
`unauthorized`	None

SFTP and SCP server functionality is disabled when using the operator or read-only predefined login classes.

Starting in Junos OS Evolved Release 23.4R2, the superuser login class cannot write to the /var/log/ directory. Only the root user can write into /var/log/.

Permission Bits
Deny or Allow Individual Commands and Statement Hierarchies

Permission Bits

Each top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. Each login class defines one or more permission bits that determine the access privileges.

Two forms for the permissions control whether a user can view or modify the individual parts of the configuration:

"Plain" form—Provides read-only capability for that permission type. An example is interface.
-control form—Provides read and write capability for that permission type. An example is interface-control.

Table 2 outlines the permission flags and associated access privileges.

Table 2: Login Class Permission Flags
Permission Flag	Description
`access`	Can view the access configuration in operational mode or configuration mode.
`access-control`	Can view and configure access information at the `[edit access]` hierarchy level.
`admin`	Can view user account information in operational mode or configuration mode.
`admin-control`	Can view user account information and configure it at the `[edit system]` hierarchy level.
`all`	Can access all operational mode commands and configuration mode commands. Can modify the configuration in all the configuration hierarchy levels.
`clear`	Can clear (delete) information that the device learns from the network and stores in various network databases (using the `clear` commands).
`configure`	Can enter configuration mode (using the `configure` command) and commit configurations (using the `commit` command).
`control`	Can perform all control-level operations—all operations configured with the `-control` permission flags.
`field`	Can view field debug commands. Reserved for debugging support.
`firewall`	Can view the firewall filter configuration in operational mode or configuration mode.
`firewall-control`	Can view and configure firewall filter information at the `[edit firewall]` hierarchy level.
`floppy`	Can read from and write to the removable media.
`flow-tap`	Can view the flow-tap configuration in operational mode or configuration mode.
`flow-tap-control`	Can view and configure flow-tap information at the `[edit services flow-tap]` hierarchy level.
`flow-tap-operation`	Can make flow-tap requests to the router or switch. For example, a Dynamic Tasking Control Protocol (DTCP) client must have `flow-tap-operation` permission to authenticate itself to Junos OS as an administrative user. Note: The `flow-tap-operation` option is not included in the `all-control` permissions flag.
`idp-profiler-operation`	Can view profiler data.
`interface`	Can view the interface configuration in operational mode and configuration mode.
`interface-control`	Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information. Can modify the configuration at the following hierarchy levels: `[edit chassis]` `[edit class-of-service]` `[edit groups]` `[edit forwarding-options]` `[edit interfaces]`
`maintenance`	Can perform system maintenance, including starting a local shell on the device and becoming the superuser in the shell (using the `su root` command) and halting and rebooting the device (using the `request system` commands).
`network`	Can access the network by using the `ping`, `ssh`, `telnet`, and `traceroute` commands.
`pgcp-session-mirroring`	Can view the `pgcp` session mirroring configuration.
`pgcp-session-mirroring-control`	Can modify the `pgcp` session mirroring configuration.
`reset`	Can restart software processes by using the `restart` command.
`rollback`	Can use the `rollback` command to return to a previously committed configuration.
`routing`	Can view general routing, routing protocol, and routing policy configuration information in configuration mode and operational mode.
`routing-control`	Can view and configure general routing at the `[edit routing-options]` hierarchy level, routing protocols at the `[edit protocols]` hierarchy level, and routing policy information at the `[edit policy-options]` hierarchy level.
`secret`	Can view passwords and other authentication keys in the configuration.
`secret-control`	Can view and modify passwords and other authentication keys in the configuration.
`security`	Can view security configuration information in operational mode and configuration mode.
`security-control`	Can view and configure security information at the `[edit security]` hierarchy level.
`shell`	Can start a local shell on the router or switch by using the `start shell` command.
`snmp`	Can view Simple Network Management Protocol (SNMP) configuration information in operational mode or configuration mode.
`snmp-control`	Can view and modify SNMP configuration information at the `[edit snmp]` hierarchy level.
	Can view Fiber Channel storage configuration information at the `[edit fc-fabrics]` hierarchy level.
	Can modify Fiber Channel storage configuration information at the `[edit fc-fabrics]` hierarchy level.
`system`	Can view system-level information in operational mode or configuration mode.
`system-control`	Can view and modify system-level configuration information at the `[edit system]` hierarchy level.
`trace`	Can view trace file settings and configure trace file properties.
`trace-control`	Can modify trace file settings and configure trace file properties.
	Can view unified edge configuration at the `[edit unified-edge]` hierarchy.
	Can modify unified edge related configuration at the `[edit unified-edge]` hierarchy.
`view`	Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration.
`view-configuration`	Can view all of the configuration excluding secrets, system scripts, and event options. Note: Only users with the `maintenance` permission can view commit script, op script, or event script configuration.

Deny or Allow Individual Commands and Statement Hierarchies

By default, all top-level CLI commands and statements have associated access privilege levels. Users can execute only those commands and view and configure only those statements for which they have access privileges. For each login class, you can explicitly deny or allow users the use of operational mode commands and configuration mode commands and configuration statement hierarchies that are otherwise allowed or denied by a permission bit.

Example: Create Login Classes with Specific Privileges

You define login classes to assign certain permissions or restrictions to groups of users, ensuring that sensitive commands are only accessible to the appropriate users. By default, Juniper Networks devices have four types of login classes with preset permissions: operator, read-only, superuser or super-user, and unauthorized.

You can create custom login classes to define different combinations of permissions that are not found in the default login classes. The following example shows three custom login classes, each with specific privileges and inactivity timers. Inactivity timers help protect network security by disconnecting a user from the network if the user is inactive for too long. Disconnecting the user prevents potential security risks that result when a user leaves an unattended account logged in to a switch or router. The permissions and inactivity timers shown here are only examples; you should customize the values to your organization.

The three login classes and their privileges are as follows. All three login classes use the same inactivity timer of 5 minutes.

observation—Can only view statistics and the configuration
operation—Can view and modify the configuration
engineering—Unlimited access and control

Understanding Exact Match Access Privileges for Login Classes

Exact match access privileges let you explicitly allow or deny exact configuration strings to define access control rules for login classes. Starting in Junos OS and Junos OS Evolved Release 23.4R1, you can use the allow-configuration-exact-match and deny-configuration-exact-match configuration statements to control exact match access privileges.

Benefits

Restrict deletion of upper level configuration hierarchies while permitting deletion of specific sub-hierarchies. This supports more targeted command authorization.
Ensure set commands remain permitted on a hierarchy even if deletion is denied. This separation of authorization for set and delete enables more flexible access controls.
Allow or deny precise configuration command strings, in addition to regular expressions. This supports configuring highly specific access rules when needed.
Leverage advanced authorization rules from external TACACS+ servers, in addition to local rules. This facilitates centralized policy management.

You can configure exact match access privileges with the allow-configuration-exact-match and deny-configuration-exact-match configuration statements at the [edit system login class name] hierarchy level. Use hierarchy strings starting with one of the following operators:

set
delete
active
deactivate

Wildcard characters are also supported. For example, the deny-configuration-exact-match delete interfaces* statement uses the * wildcard character to specify all interfaces.

If delete or deactivate is denied for a given configuration hierarchy, then set or activate commands can still be allowed by using allow-configuration-exact-match. If you configure both allow-configuration-exact-match and deny-configuration-exact-match with the same operator and configuration, then configuration access will be denied.

The new exact match rules can be configured locally or on external TACACS+ servers.

ON THIS PAGE

Login Classes Overview