Junos OS

Expand all | Collapse all

Custom Login Class - Deny Commands?

Jump to Best Answer
  • 1.  Custom Login Class - Deny Commands?

    Posted 03-12-2018 18:15

    Hello all, 

     

    I am part of a team that manages 300+ SRX220, EX2200 devices. We would like to give our help desk the ablity to view, ping, and reboot the devices.  We have created the class:

     

    set system login class read-reboot permissions maintenance
    set system login class read-reboot permissions network
    set system login class read-reboot permissions view
    set system login class read-reboot allow-commands "request system reboot"
    

    However, I believe this gives the class more access than we are really looking for.  From here I would also like to deny access to the following commands:

     

    request system power-off

    request system halt

    request system zeroize

    request system configuration

    request systen storage

    request system snapshot

    request system firmware

    request system autorecovery

    request system commit

    start shell

     

    I believe the way to do this is using a regular expression - which I have a regex that validates against the text, but doesn't seem to play well with junos:

    (^request system (power-off|snapshot|zeroize|storage|halt|configuration|firmware|autorecovery|commit)\b|^start shell)
    

    How can I use this to deny the above commands?

     

    Thanks

    sb 



  • 2.  RE: Custom Login Class - Deny Commands?
    Best Answer

    Posted 03-12-2018 18:39

     

    Use a combination of allow-commands and deny-command to accomplish that.

    Example:

     

    class test {

        permissions maintenance;

        allow-commands "request system logout";

        deny-commands "request system reboot|request system power-off";

    }