Hello Junos community, I am a new Juniper user and I am trying to understand the command authorization syntax in junos. I am referring to this guide for help:
User Access and Authentication Administration Guide for Junos OS
Juniper |
remove preview |
|
User Access and Authentication Administration Guide for Junos OS |
Junos OS enables you to configure user access and authentication features at the [edit system] hierarchy level of the CLI. Essential user access features include login classes, user accounts, access privilege levels, and user authentication methods. Use the topics on this page to configure essential user access features for your system. |
View this on Juniper > |
|
|
I would like to do the following:
1) the user should not be able to issue delete (system|interfaces|system .*|interfaces ge.* unit .*)
2) the user should be allowed to do all configuration here: [ edit interfaces ge.* unit .* ]. recurse down all levels.
3) the user should be allowed to do configuration at [ edit system] but only these options: ([a-d]+)|(ntp)|(radius.*)|(tacplus.*)|(scri.*)|(process.*)|(proxy). recurse down all levels.
4) the user should be allowed operational mode commands: (set cli)|(show .*)
5) the user should have the following persmissions : [ configure system system-control interface interface-control]
I have this configuration to achieve the above tasks:
class test-users {
idle-timeout 1;
permissions [ configure system system-control interface interface-control ];
allow-commands "(^set cli .*)|(^show .*)";
allow-configuration "(interfaces ge.* unit .* .+)|(system (([a-d]+)|(ntp)|(radius.*)|(tacplus.*)|(scri.*)|(process.*)|(proxy)) .+ .+ .+ .+ .+ .+ .+)";
deny-configuration "(interfaces$)|(interfaces ge-[0-9]/[0-9]/[0-9]$)|(system$)|(system .*$)";
}
Update: This configuration is not allowing me to delete anything under [edit system] but allows to delete under [edit interfaces ge.* unit .*]
I am loving every single minute spent on junos and maybe I am just overthinking the problem solution.
Please help me understand this better, I would be deeply grateful.
Thank you for your consideration,
Prashant Desai
------------------------------
PRASHANT DESAI
------------------------------