View Only
last person joined: yesterday 

Ask questions and share experiences about Apstra, Paragon, and all things network automation.

Juniper Op Script permissions

  • 1.  Juniper Op Script permissions

    Posted 05-12-2023 12:50

    Scenario: I want to allow a team of non-networking people to ssh into our SRX and lock it down to where they can only run op scripts. I started with no permissions, "deny-configuration .*", and "deny-commands .*" to completely lock down the login class and built up the permissions, "allow-configuration", and "allow-commands" from there.

    As it is now, I'm in a good spot with "permissions" and "allow-configuration". When I set "allow-commands" to ".*" the script will successfully run. My issue is when I'm not sure which commands to add under "allow-commands". When I add the commands the script would be running as if the user was manually doing the configuration ("configure exclusive" and a specific "deactivate ... ... ..." command) I get error: permission denied: lock-configuration when running the op script but the user can run the manual commands themselves with no issue. This leads me to the conclusion I'm missing a specific "allow-commands" statement but I'm not sure what. I'm fairly positive this has something to do with the execution of the script involving XML (I'm specifically using SLAX).

    In my research I've tried allowing the command "junoscript interactive" but I still get the error: permission denied: lock-configuration error.

    I'll update this if I find the answer.