O'Reilly logo

JUNOS Cookbook by Aviva Garrett

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

2.10. Customizing Account Privileges

Problem

You want to create a custom privilege class to define the operations and actions a user can perform while logged in to the router.

Solution

Create a privilege class that allows users to read but not modify the configuration and then let them perform all operational mode commands:

	[edit system login]
	aviva@router1# set class operator-plus-read-config permissions [ admin  
clear
	 
configure  
floppy interface  
network  
reset routing shell snmp system trace view
	 
maintenance firewall rollback security ]

Discussion

When you set up login accounts on the router (see Recipe 2.5), each account must have a privilege level, or class, which defines the operations and actions the user can and cannot perform on the router. Each privilege level consists of a collection of permission bits that specifies what a user is allowed to do. Table 2-1 lists all the permission bits.

Table 2-1. Login class permissions

Permission

Bit name

All (superuser)

all (can perform all actions)

Delete data from system log, tracing, and other files

clear (using the clear commands)

All control-level operations (bits ending in -control)

control (can view and change all portions of the configuration)

Configure the router

configure (using the configure and commit commands)

Access removable media

floppy

Halt and reboot the router; start a shell and become superuser

maintenance (using the request system commands, and using the CLI start shell command and the su root ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required