Scenario: I want to allow a team of non-networking people to ssh into our SRX and lock it down to where they can only run op scripts. I started with no permissions, "deny-configuration .*", and "deny-commands .*" to completely lock down the login class and built up the permissions, "allow-configuration", and "allow-commands" from there.
As it is now, I'm in a good spot with "permissions" and "allow-configuration". When I set "allow-commands" to ".*" the script will successfully run. My issue is when I'm not sure which commands to add under "allow-commands". When I add the commands the script would be running as if the user was manually doing the configuration ("configure exclusive" and a specific "deactivate ... ... ..." command) I get error: permission denied: lock-configuration when running the op script but the user can run the manual commands themselves with no issue. This leads me to the conclusion I'm missing a specific "allow-commands" statement but I'm not sure what. I'm fairly positive this has something to do with the execution of the script involving XML (I'm specifically using SLAX).
In my research I've tried allowing the command "junoscript interactive" but I still get the error: permission denied: lock-configuration error.
I'll update this if I find the answer.
------------------------------
PHILIP SILK
------------------------------