Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [SRX] Configuration Example - Creating a user with restricted permissions

0

0

Article ID: KB23038 KB Last Updated: 24 Feb 2020Version: 7.0
Summary:
This article provides information on how to make a user of login classes to create a user with restricted permissions.
Symptoms:
  • Username: test

  • A custom login class test_class to restrict permissions.

  • Apply the login class to the test user, so that it only has show permissions.
Solution:
For more information on login classes, refer to the following link:

https://www.juniper.net/documentation/en_US/junos12.3x48/information-products/pathway-pages/security/security-swconfig-initial-device-config.html

You can make use of the view-configuration permission category, which is set as a base for permissions, for the custom login class and then deny individual commands that are not required from the set, using regular expression. For more information on allowing and denying individual commands, please refer to the following link:

https://www.juniper.net/techpubs/en_US/junos12.3x48/topics/task/configuration/access-privileges-levels.html


Example Configuration:
set system login class test_class permissions view-configuration   <----- User permission set "view configuration"
set system login class test_class allow-commands show   <----- allow only show commands
set system login class test_class deny-commands "(clear)|(file)|(file show)|(help)|(load)|(monitor)|(op)|(request)|(save)|(set)|(start)|(test)" <----- deny all other individual permissions
set system login class test_class allow-configuration show   <---- allow only show configuration commands
set system login class test_class deny-configuration all <----- deny all other available configuration comm
set system login user test uid 2007
set system login user test class test_class
set system login user test authentication encrypted-password "$ABC123"

Verification:

Login with the username test, and type ? at the CLI prompt; the following options are displayed:
test@srx> ?
Possible completions:
quit Exit the management session
set Set CLI properties, date/time, craft interface message
show Show system information

Even though you can see the set command, there will not be any sub-commands under it.
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search