Juniper User Permission for access privileges

  • by

When you create a user account on JUNOS, you will need to give a privilege for that user. Each operational mode command has an access privilege level, according to user’s permission level he can execute, configure and view. Four standard login privilege classes exist on a Junos OS device, each allowing its own set of authorized functions.

user@Router# set system login user geek class ?
Possible completions:
                Login class
  operator             permissions [ clear network reset trace view ]
  read-only            permissions [ view ]
  super-user           permissions [ all ]
  unauthorized         permissions [ none ]

1. operator: An operator is allowed to work in operational mode to check the status of the device and the routing protocols, clear statistics, and perform reset operations, including restarting routing processes and rebooting the device.
2. read-only: A user with read-only privilege can only monitor the status of the device and routing protocols.
3. super-user: A super-user can perform any and all operations on the device.
4. unauthorized: unauthorized is a class with no privileges at all on the device.

You can also create your own unique privilege class. Custom login classes are groups of users who are assigned with customized levels of access to different commands and statements. This ensures that each group of users can only use commands appropriate to their function, preventing unauthorized users from executing sensitive commands that could potentially cause damage to the network.

You can also create your own unique privilege class. If we want to make a group of class and want to give a specific command to be execute for a particular user, we can show here how to configure this think. This ensures that every users will bound to use commands acceptable to their perform, preventing unauthorised users from capital punishment sensitive commands that might probably cause injury to the network.

Here I am giving three types of classes with three different access and view level:

In this class name of “Support” this user can view the all interface, all routing information and can only run the command traceroute, ping and telnet. And this user can not use “show bgp” command as this is deny.

user@Geek# set system login class Support permissions interface
user@Geek# set system login class Support permissions routing
user@Geek# set system login class Support permissions view
user@Geek# set system login class Support allow-commands "(traceroute)|(ping)|(telnet)"
user@Geek# set system login class Support deny-commands "show bgp"

user@Geek# show
system {
    login {
        class Support {
            permissions [ interface routing view ];
            allow-commands "(traceroute)|(ping)|(telnet)";
            deny-commands "show bgp";
        } 

In this case “Monitoring” class can view the all interface and routing information but this user will not see the interface lo0 and interfaces ge-1/1/4 unit 210. Because, these two interfaces are very sensitive for me that is why i do not want to show the monitoring team.

user@Geek# set system login class Monitoring permissions interface
user@Geek# set system login class Monitoring permissions routing
user@Geek# set system login class Monitoring permissions view
user@Geek# set system login class Monitoring deny-configuration-regexps "interfaces lo0"
user@Geek# set system login class Monitoring deny-configuration-regexps "interfaces ge-1/1/4 unit 210"

user@Geek# show
system {
    login {
        class Monitoring {
            permissions [ interface routing view ];
            allow-commands "(traceroute)|(ping)";
            deny-configuration-regexps [ "interfaces lo0" "interfaces ge-1/1/4 unit 210"];
        }

Here the “New_NOC” class idle login time is 5 minutes, if this user can not do anything for 5 minutes he will be logged out automatically. This group of users can only able to view the interface and routing information. Also this user can reboot the device if he want, in addition they will able to execute all kind of “show route” command, here the $ sign mean, all command after show route.

user@Geek# set system login class New_NOC idle-timeout 5
user@Geek# set system login class New_NOC permissions interface
user@Geek# set system login class New_NOC permissions routing
user@Geek# set system login class New_NOC permissions view
user@Geek# set system login class New_NOC allow-commands "(request system reboot)|(show route$)"

user@Geek# show
system {
    login {
        class New_NOC {
            idle-timeout 5;
            permissions [ interface routing view ];
            allow-commands "(request system reboot)|(show route$)";
        }

When you use this class to any particular user then that permission level will be effect on that user.

Leave a Reply