0% found this document useful (0 votes)

218 views

Junos OS User Access Privileges - TechLibrary - Juniper Networks

The document discusses user access privileges in Junos OS. It allows granting access to commands and configuration statements based on permission flags assigned to login classes. The permission flags determine which operational mode commands and configuration hierarchies a user can access. It provides details on the different permission flags and their associated commands and configuration statements.

Uploaded by

saudi

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

218 views

Junos OS User Access Privileges - TechLibrary - Juniper Networks

Uploaded by

saudi

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 68

6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

TechLibrary
Search Documenta on
 

Home  TechLibrary  Junos OS  User Access and Authentication Feature Guide 

Junos OS User Access Privileges

 13-Mar-19

Junos OS allows you to grant the access or permissions to the commands and configura on
hierarchy levels and statements. This enables users to execute only those commands and
configure and view only those statements for which they have access privileges. You can use
extended regular expressions to specify which opera onal mode commands, configura on
statements, and hierarchies are denied or allowed for users. This prevents unauthorized users from
execu ng or configuring sensi ve commands and statements that could poten ally cause damage
to the network. Read this topic for more informa on.

Understanding Junos OS Access Privilege Levels

Each top-level CLI command and each configura on statement have an access privilege level
associated with them. Users can execute only those commands and configure and view only those
statements for which they have access privileges. The access privileges for each login class are
defined by one or more permission flags.

For each login class, you can explicitly deny or allow the use of opera onal and conﬁgura on
mode commands that would otherwise be permi ed or not allowed by a privilege level speciﬁed in
the permissions statement.

The following sec ons provide addi onal informa on about permissions:

Junos OS Login Class Permission Flags

Allowing or Denying Individual Commands for Junos OS Login Classes

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with-… 1/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Junos OS Login Class Permission Flags

NOTE Each command listed represents that command and all subcommands with
that command as a prefix. Each configura on statement listed represents the top of the
configura on hierarchy to which that flag grants access.

The permissions statement specifies one or more of the permission flags listed in Table 1.
Permission flags are not cumula ve, so for each class you must list all the permission flags needed,
including view to display informa on and configure to enter configura on mode. Two forms of
permissions control for individual parts of the configura on are:

"Plain” form—Provides read-only capability for that permission type. An example is

interface.

Form that ends in -control—Provides read and write capability for that permission type. An
example is interface-control.

For permission flags that grant access to configura on hierarchy levels and statements, the flags
grant read-only privilege to that configura on. For example, the interface permissions flag
grants read-only access to the [edit interfaces] hierarchy level. The -control form of the
flag grants read-write access to that configura on. Using the preceding example, interface-
control grants read-write access to the [edit interfaces] hierarchy level.

Table 1 lists the Junos OS login class permission ﬂags that you can conﬁgure by including the
permissions statement at the [edit system login class class-name] hierarchy level.

The permission flags grant a specific set of access privileges. Each permission flag is listed with the
opera onal mode commands and configura on hierarchy levels and statements for which that flag
grants access.

Table 1: Login Class Permission Flags

Permission
Flag Descrip on

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with-… 2/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Permission
Flag Descrip on

access Can view the access conﬁgura on in conﬁgura on mode and with the show
configuration opera onal mode command.

access- Can view and conﬁgure access informa on at the [edit access] hierarchy level.
control

admin Can view user account informa on in conﬁgura on mode and with the show
configuration opera onal mode command.

admin- Can view user account informa on and conﬁgure it at the [edit system]
control hierarchy level.

all-control Can view user accounts and conﬁgure them at the [edit system login]
hierarchy level.

all Can access all opera onal mode commands and configura on mode commands. Can
modify configura on in all the configura on hierarchy levels.

clear Can clear (delete) informa on learned from the network that is stored in various
network databases by using the clear commands.

conﬁgure Can enter conﬁgura on mode by using the configure command.

control Can perform all control-level opera ons—all opera ons conﬁgured with the -
control permission ﬂags.

ﬁeld Can view ﬁeld debug commands. Reserved for debugging support.

firewall Can view the firewall filter configura on in configura on mode.

firewall- Can view and configure firewall filter informa on at the [edit firewall]
control hierarchy level.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with-… 3/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Permission
Flag Descrip on

ﬂoppy Can read from and write to the removable media.

flow-tap Can view the flow-tap configura on in configura on mode.

flow-tap- Can view the flow-tap configura on in configura on mode and can configure flow-
control tap configura on informa on at the [edit services flow-tap] hierarchy level.

ﬂow-tap- Can make ﬂow-tap requests to the router or switch. For example, a Dynamic Tasking
opera on Control Protocol (DTCP) client must have flow-tap-operation permission to
authen cate itself to the Junos OS as an administra ve user.

Note: The flow-tap-operation op on is not included in the all-control

permissions ﬂag.

idp-proﬁler- Can view proﬁler data.

opera on

interface Can view the interface conﬁgura on in conﬁgura on mode and with the show
configuration opera onal mode command.

interface- Can view chassis, class of service (CoS), groups, forwarding op ons, and interfaces
control conﬁgura on informa on. Can edit conﬁgura on at the following hierarchy levels:

[edit chassis]

[edit class-of-service]

[edit groups]

[edit forwarding-options]

[edit interfaces]

maintenance Can perform system maintenance, including star ng a local shell on the router or
switch and becoming the superuser in the shell by using the su root command, and
can halt and reboot the router or switch by using the request system commands.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with-… 4/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Permission
Flag Descrip on

network Can access the network by using the ping, ssh, telnet, and traceroute
commands.

pgcp- Can view the pgcp session mirroring conﬁgura on.

session-
mirroring

pgcp- Can modify the pgcp session mirroring conﬁgura on.

session-
mirroring-
control

reset Can restart so ware processes by using the restart command and can conﬁgure
whether so ware processes are enabled or disabled at the [edit system
processes] hierarchy level.

rollback Can use the rollback command to return to a previously commi ed conﬁgura on
other than the most recently commi ed one.

rou ng Can view general rou ng, rou ng protocol, and rou ng policy conﬁgura on
informa on in conﬁgura on and opera onal modes.

rou ng- Can view general rou ng, rou ng protocol, and rou ng policy conﬁgura on
control informa on and can conﬁgure general rou ng at the [edit routing-options]
hierarchy level, rou ng protocols at the [edit protocols] hierarchy level, and
rou ng policy at the [edit policy-options] hierarchy level.

secret Can view passwords and other authen ca on keys in the conﬁgura on.

secret- Can view passwords and other authen ca on keys in the conﬁgura on and can
control modify them in conﬁgura on mode.

security Can view security conﬁgura on in conﬁgura on mode and with the show
configuration opera onal mode command.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with-… 5/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Permission
Flag Descrip on

security- Can view and conﬁgure security informa on at the [edit security] hierarchy
control level.

shell Can start a local shell on the router or switch by using the start shell command.

snmp Can view Simple Network Management Protocol (SNMP) conﬁgura on informa on in
conﬁgura on and opera onal modes.

snmp-control Can view SNMP conﬁgura on informa on and can modify SNMP conﬁgura on at
the [edit snmp] hierarchy level.

system Can view system-level informa on in conﬁgura on and opera onal modes.

system- Can view system-level conﬁgura on informa on and conﬁgure it at the [edit
control system] hierarchy level.

trace Can view trace file se ngs and configure trace file proper es.

trace-control Can modify trace file se ngs and configure trace file proper es.

view Can use various commands to display current system-wide, rou ng table, and
protocol-speciﬁc values and sta s cs. Cannot view the secret conﬁgura on.

view- Can view all of the configura on excluding secrets, system scripts, and event op ons.
configura on
Note: Only users with the maintenance permission can view commit script, op
script, or event script configura on.

Allowing or Denying Individual Commands for Junos OS Login Classes

By default, all top-level CLI commands have associated access privilege levels. Users can execute
only those commands and view only those statements for which they have access privileges. For
each login class, you can explicitly deny or allow the use of opera onal and conﬁgura on mode

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with-… 6/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

commands that would otherwise be permi ed or not allowed by a privilege level speciﬁed in the
permissions statement.

Permission flags are used to grant a user access to opera onal mode commands and configura on
hierarchy levels and statements. By specifying a specific permission flag on the user's login class at
the [edit system login class] hierarchy level, you grant the user access to the
corresponding commands and configura on hierarchy levels and statements. To grant access to all
commands and configura on statements, use the all permissions flag. For permission flags that
grant access to configura on hierarchy levels and statements, the flags grant read-only privilege to
that configura on. For example, the interface permissions flag grants read-only access to the
[edit interfaces] hierarchy level. The -control form of the flag grants read-write access
to that configura on. Using the preceding example, interface-control grants read-write
access to the [edit interfaces] hierarchy level.

The all login class permission bits take precedence over extended regular expressions when a
user issues rollback command with rollback permission ﬂag enabled.

Expressions used to allow and deny commands for users on RADIUS and TACACS+ servers
have been simpliﬁed. Instead of a single, long expression with mul ple commands (allow-
commands=cmd1 cmd2 ... cmdn), you can specify each command as a separate
expression. This new syntax is valid for allow-configuration, deny-configuration,
allow-commands, deny-commands, and all user permission bits.

Users cannot issue the load override command when specifying an extended regular
expression. Users can only issue the merge, replace, and patch conﬁgura on commands.

If you allow and deny the same commands, the allow-commands permissions take
precedence over the permissions speciﬁed by the deny-commands. For example, if you
include allow-commands "request system software add" and deny-commands
"request system software add", the login class user is allowed to install so ware using
the request system software add command.

Regular expressions for allow-commands and deny-commands can also include the
commit, load, rollback, save, status, and update commands.

If you specify a regular expression for allow-commands and deny-commands with two
diﬀerent variants of a command, the longest match is always executed.
For example, if you specify a regular expression for allow-commands with the commit-
synchronize command and a regular expression for deny-commands with the commit
command, users assigned to such a login class would be able to issue the commit
synchronize command, but not the commit command. This is because commit-

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with-… 7/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

synchronize is the longest match between commit and commit-synchronize and it is

speciﬁed for allow-commands.
Likewise, if you specify a regular expression for allow-commands with the commit
command and a regular expression for deny-commands with the commit-synchronize
command, users assigned to such a login class would be able to issue the commit command,
but not the commit-synchronize command. This is because commit-synchronize is the
longest match between commit and commit-synchronize and it is speciﬁed for deny-
commands.

Example: Conﬁguring User Permissions with Access Privilege

Levels
This example shows how to view permissions for a user account and configure the user
permissions with access privileges for a login class. This enables users to execute only those
commands and configure and view only those statements for which they have access privileges.
This prevents unauthorized users from execu ng or configuring sensi ve commands and
statements that could poten ally cause damage to the network.

Requirements

Overview

Conﬁgura on

Veriﬁca on

Requirements
This example uses the following hardware and so ware components:

One Juniper Networks device

One TACACS+ (or RADIUS) server

Junos OS build running on the Juniper Networks device

Before you begin:

Establish connec on between the device and the TACACS+ server.

For informa on on conﬁguring a TACACS+ server, see Conﬁguring TACACS+ Authen ca on.

Conﬁgure at least one user assigned to a login class on the Juniper Networks device. There
can be more than one login class, each with varying permission conﬁgura ons, and more than
one user on the device.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with-… 8/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Overview
Each top-level command-line interface (CLI) command and each configura on statement in Junos
OS has an access privilege level associated with it. For each login class, you can explicitly deny or
allow the use of opera onal and configura on mode commands that would otherwise be
permi ed or not allowed by a privilege level. Users can execute only those commands and
configure and view only those statements for which they have access privileges. To configure
access privilege levels, include the permissions statement at the [edit system login
class class-name] hierarchy level.

The access privileges for each login class are defined by one or more permission flags specified in
the permissions statement. Permission flags are used to grant a user access to opera onal
mode commands, statements, and configura on hierarchies. Permission flags are not cumula ve,
so for each login class you must list all the permission flags needed, including view to display
informa on and configure to enter configura on mode. By specifying a specific permission flag
on the user's login class, you grant the user access to the corresponding commands, statements,
and configura on hierarchies. To grant access to all commands and configura on statements, use
the all permissions flag. The permission flags provide read-only (“plain” form) and read and write
(form that ends in -control) capability for a permission type.

NOTE The all login class permission bits take precedence over extended regular
expressions when a user issues a rollback command with the rollback permission ﬂag
enabled.

To conﬁgure user access privilege levels:

1. View permissions for a user account.

You can view the permissions for a user account before conﬁguring the access privileges for
those permissions.

To view the user permissions, enter ? at the [edit] hierarchy level:

 

[edit]
?

2. Conﬁgure user permissions with access privileges.

All users who can log in to a device must be in a login class. For each login class, you can
conﬁgure the access privileges that the associated users can have when they are logged in to
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with-… 9/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

the device.

To conﬁgure access privilege levels for user permissions, include the permissions statement
at the [edit system login class class-name] hierarchy level, followed by the user
permission, the permissions op on, and the required permission ﬂags.

 

[edit system login]

user@host# set class class-name permissions user-permission permissions [perm

Configura on
Configuring User Permissions with Access Privilege Levels
Step-by-Step Procedure
To configure access privileges:

1. From the device, view the list of permissions available for the user account. In this example,
the username of the user account is host.

 

[edit]
user@host> ?
Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
load Load information from file
monitor Show real-time debugging information
mtrace Trace multicast path from source to receiver
op Invoke an operation script
ping Ping remote target
quit Exit the management session
request Make system-level requests
restart Restart software process
save Save information to file
set Set CLI properties, date/time, craft interface message
show Show system information

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 10/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

ssh Start secure shell on another host

start Start shell
telnet Telnet to another host
test Perform diagnostic debugging
traceroute Trace route to remote host

The output lists the permissions for the user host. Customized login classes can be created by
conﬁguring diﬀerent access privileges on these user permissions.

2. Configure an access privilege class to enable user host to configure and view SNMP
parameters only. In this example, this login class is called network-management. To customize
the network-management login class, include the SNMP permission flags to the configure
user permission.

 

[edit system login class network-management]

user@host# set permissions configure permissions snmp
user@host# set permissions configure permissions snmp-control

Here, the configured permission flags provide both read (snmp) and read-and-write (snmp-
control) capability for SNMP, and this is the only allowed access privilege for the network-
management login class. In other words, all other access privileges other than configuring and
viewing SNMP parameters are denied.

Results
From configura on mode, confirm your configura on by entering the show system login
command. If the output does not display the intended configura on, repeat the instruc ons in this
example to correct the configura on.

 

user@host# show system login

class network-management {
permissions [ configure snmp snmp-control ];
}

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 11/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Verifica on
Log in as the username assigned with the new login class, and confirm that the configura on is
working properly.

Verifying SNMP Conﬁgura on

Verifying non-SNMP Conﬁgura on

Verifying SNMP Conﬁgura on

Purpose
Verify that SNMP conﬁgura on can be executed.

Ac on

From conﬁgura on mode, execute basic SNMP commands at the [edit snmp] hierarchy level.

 

[edit snmp]
user@host# set name device1
user@host# set description switch1
user@host# set location Lab1
user@host# set contact example.com
user@host# commit

Meaning
The user host assigned to the network-management login class is able to configure SNMP
parameters, as the permission flags specified for this class include both snmp (read capabili es)
and snmp-control (read and write capabili es) permission bits.

Verifying non-SNMP Conﬁgura on

Purpose
Verify that non-SNMP conﬁgura on is denied for the network-management login class.

Ac on
From the configura on mode, execute any non-SNMP configura on, for example, interfaces
configura on.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 12/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

 

[edit]
user@host# edit interfaces
Syntax error, expecting <statement> or <identifier>.

Regular Expressions for Allowing and Denying Junos OS

Opera onal Mode Commands, Conﬁgura on Statements, and
Hierarchies
This topic contains the following sec ons:

Understanding Regular Expressions

Specifying Regular Expressions

Regular Expressions Operators

Regular Expression Examples

Understanding Regular Expressions

You can use extended regular expressions to specify which opera onal mode commands,
configura on statements, and hierarchies are denied or allowed. You specify these regular
expressions locally in the allow/deny-commands, allow/deny-configuration, and
allow/deny-commands-regexps and allow/deny-configuration-regexp statements
at the [edit system login class class-name] hierarchy level, or remotely by specifying
Juniper Networks vendor-specific TACACS+ or RADIUS a ributes in your authoriza on server’s
configura on.

NOTE Star ng in Junos OS Release 18.1, the allow-commands-regexps and

deny-commands-regexps statements are supported for TACACS+ authoriza on.

The difference between a local and remote authoriza on configura on is the pa ern in which the
regular expressions statements are executed. While it is possible to specify mul ple regular
expressions using strings in the local authoriza on configura on, in a remote configura on, the
regular expressions statements need to be split and specified in individual strings. When the
authoriza on parameters are configured both remotely and locally, the regular expressions
received during TACACS+ or RADIUS authoriza on get merged with any regular expressions
available on the local device.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 13/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

When specifying mul ple regular expressions in a local conﬁgura on using the allow-
configuration, deny-configuration, allow-commands, or deny-commands statements,
regular expressions are conﬁgured within parentheses and separated using the pipe symbol. The
complete expression is enclosed in double quotes. For example, you can specify mul ple allow-
commands parameters with the following syntax:

allow-commands "(cmd1)|(cmd2)|(cmdn)"

The same expression conﬁgured remotely on the authoriza on server uses the following syntax:

 

allow-commands1 = "cmd1"
allow-commands2 = "cmd2"
allow-commandsn = "cmdn"

When specifying mul ple regular expressions in a local conﬁgura on using the allow-
configuration-regexps, deny-configuration-regexps, allow-commands-regexps,
or deny-commands-regexps statements, regular expressions are conﬁgured within double
quotes and separated using the space operator. The complete expression is enclosed in square
brackets. For example, you can specify mul ple allow-commands parameters with the following
syntax:

 

allow-commands-regexps [ "cmd1" "cmd2" "cmdn" ]

The same expression conﬁgured remotely on the authoriza on server uses the following syntax:

 

allow-commands-regexps1 = "cmd1"
allow-commands-regexps2 = "cmd2"
allow-commands-regexpsn = "cmdn"

Table 2 diﬀeren ates the local and remote authoriza on conﬁgura on using regular expressions.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 14/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Table 2: Sample Local and Remote Authoriza on Conﬁgura on Using Regular Expressions 

Local Conﬁgura on

login {
class local {
permissions configure;
allow-commands "(ping .*)|(traceroute .*)|(show .*)|(configure .*)|(edit)|(exit)|(commit)|(rollback .*)";
deny-commands .*;
allow-configura on "(interfaces .* unit 0 family ethernet-switching vlan mem.* .*)|(interfaces .* na
deny-configura on .*;
}
}

NOTE
You need to explicitly allow access to the NETCONF mode, either locally or remotely,
by issuing the following three commands: xml-mode, netconf, and need-trailer.

When the deny-configuration = “.*” statement is used, all the other desired
conﬁgura ons should be allowed using the allow-configuration statement. This
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 15/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

can affect the allowed regular expressions buffer limit for the allow-
configuration statement. When this limit exceeds, the allowed configura on
might not work. This regular expression buffer size limit has been increased in Junos
OS Release 14.1x53-D40, 15.1, and 16.1.

Specifying Regular Expressions

WARNING When you specify regular expression for commands and conﬁgura on
statements, pay close a en on to the following examples, as regular expression with
invalid syntax might not produce the desired results, even if the conﬁgura on is
commi ed without any error.

Regular expressions for commands and configura on statements should be specified in the same
manner as execu ng the complete command or statement. Table 3 lists the regular expressions for
configuring access privileges for the [edit interfaces] and [edit vlans] statement
hierarchies, and for the delete interfaces command.


Table 3: Specifying Regular Expressions

Statement Regular Expression

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 16/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Statement Regular Expression

[edit interfaces] The set interfaces statement

itself, and requires the unit op o
The set command for interfaces is executed as follows:
statement.
[edit]
As a result, the regular expression
user@host# set interfaces interface-name unit interface-unit-number
the set interfaces conﬁgura
en re executable string with the .
of statement variables:

[edit system login class class-nam

user@host# set permissions conﬁg
user@host# set deny-conﬁgura o

delete interfaces The delete interfaces statem

executed by itself and does not re
The delete command for interfaces is executed as follows:
statements to be complete.
[edit] As a result, the regular expression
user@host# delete interfaces interface-name the delete interfaces statem
the following:

[edit system login class class-nam

user@host# set permissions config
user@host# set allow-configura o
user@host# set deny-configura o

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 17/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Statement Regular Expression

[edit vlans] Here, the set vlans statement

itself, and requires the vlan-id o
The set command for VLANs is executed as follows:
statement.
[edit]
As a result, the regular expression
user@host# set vlans vlan-name vlan-id vlan-id
the set vlans conﬁgura on mu
executable string with the .* ope
statement variables:

[edit system login class class-nam

user@host# set permissions conﬁg
user@host# set allow-conﬁgura o

Regular Expressions Operators

Table 4 lists common regular expression operators that you can use for allowing or denying
opera onal and conﬁgura on modes.

Command regular expressions implement the extended (modern) regular expressions, as deﬁned in
POSIX 1003.2.


Table 4: Common Regular Expression Operators

Operator Match Example

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 18/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Operator Match Example

| One of two
or more [edit system login class test]

terms user@host# set permissions conﬁgure

separated user@host# set allow-commands "(ping)|(traceroute)|(show system alarms)|(sho

by the pipe. user@host# set deny-conﬁgura on "(access)|(access-proﬁle)|(accoun ng-op o

Each term (bridge-domains)|(chassis)|(class-of-service)"

must be a
With the above configura on, the users assigned to the test login class have
complete
restricted to only the commands specified in the allow-commands statem
standalone
configura on mode, excluding the hierarchy levels specified in the deny-co
expression
enclosed in
parentheses
( ), with no
spaces
between the
pipe and the
adjacent
parentheses.

^ At the
beginning of [edit system login class test]

an user@host# set permissions interface

expression, user@host# set permissions interface-control

used to user@host# set allow-commands "(^show) (log|interfaces|policer))|(^monitor)"

denote
With the above configura on, the users assigned to the test login class have
where the
viewing interface configura on from the opera onal and configura on mod
command
statement specifies access to commands that begin with show and monito
begins,
where there For the first filter, the commands specified include the show log, show in
might be policer commands. The second filter specifies all commands star ng with
some as monitor interfaces or monitor traffic commands.
ambiguity.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 19/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Operator Match Example

$ Character at
the end of a [edit system login class test]

command. user@host# set permissions interface

Used to user@host# set allow-commands "(show interfaces$)"

denote a
With the above configura on, the users assigned to the test login class can v
command
configura on in the configura on mode and with the show configurati
that must be
command with the interface user permission. However, the regular expressio
matched
commands statement restricts the users to execute only the show interf
exactly up
access to the command extensions, such as show interfaces detail o
to that
extensive.
point.

[] Range of
le ers or [edit system login class test]

digits. To user@host# set permissions clear

separate the user@host# set permissions conﬁgure

start and user@host# set permissions network

end of a user@host# set permissions trace

range, use a user@host# set permissions view

hyphen ( - ). user@host# set allow-conﬁgura on-regexps [ "interfaces [gx]e-.* unit [0-9]* d

With the above configura on, the users assigned to the test login class have
permissions, and have access to configure interfaces within the specified ran
number (0 through 9).

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 20/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Operator Match Example

() A group of
commands, [edit system login class test]

indica ng a user@host# set permissions all

complete, user@host# set allow-commands "(clear)|(conﬁgure)"

standalone user@host# deny-commands "(mtrace)|(start)|(delete)"

expression
With the above conﬁgura on, users assigned to the test login class have sup
to be
have access to the commands speciﬁed in the allow-commands statement
evaluated.
The result is
then
evaluated as
part of the
overall
expression.
Parentheses
must be
used in
conjunc on
with pipe
operators,
as
explained.

* Zero or
more terms. [edit system login class test]
user@host# set permissions conﬁgure
user@host# set deny-conﬁgura on "(system login class m*)"

With the above conﬁgura on, users assigned to the test login class whose lo
are denied conﬁgura on access.

+ One or more
terms. [edit system login class test]
user@host# set permissions conﬁgure
user@host# set deny-conﬁgura on "(system login class m+)"

With the above conﬁgura on, users assigned to the test login class whose lo
are denied conﬁgura on access.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 21/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Operator Match Example

. Any
character [edit system login class test]

except for a user@host# set permissions conﬁgure

space " ". user@host# set deny-conﬁgura on "(system login class m.)"

With the above conﬁgura on, users assigned to the test login class whose lo
are denied conﬁgura on access.

.* Everything
from the [edit system login class test]

speciﬁed user@host# set permissions conﬁgure

point user@host# set deny-conﬁgura on "(system login class m .*)"

onward.
With the above conﬁgura on, users assigned to the test login class whose lo
are denied conﬁgura on access.

Similarly, the deny-configuration "protocols .*" statement denies

under the [edit protocols] hierarchy level.

Note:

The , +, and . opera ons can be achieved by using ..

The deny-commands .* and deny-configuration .* statements

mode commands and conﬁgura on hierarchies, respec vely.

NOTE Junos OS does not support the ! regular expression operator.

Regular Expression Examples

Table 5 lists the regular expressions used to allow conﬁgura on op ons under two conﬁgura on
hierarchies—[edit system ntp server] and [edit protocols rip]—as an example for
specifying regular expressions.

NOTE Table 5 does not provide a comprehensive list of all regular expressions and
keywords for all conﬁgura on statements and hierarchies. The regular expressions listed
in the table are supported in Junos OS Release 16.1, and are validated only for the [edit
system ntp server] and [edit protocols rip] statement hierarchies.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 22/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Table 5: Regular Expressions Examples 

Statement
Hierarchy Regular Expressions

[edit
system
ntp
server]

key key-
number [edit system login class test]
set permissions configure
set allow-configura on-regexps [ "system ntp server .*" "system ntp server .* key .*" ]
set deny-configura on-regexps [ "system ntp server .* version .*" "system ntp server .* pr

version
version- [edit system login class test]

number set permissions conﬁgure

set allow-conﬁgura on-regexps [ "system ntp server .*" "system ntp server .* version .*" ]
set deny-conﬁgura on-regexps [ "system ntp server .* key .*" "system ntp server .* prefer

prefer
[edit system login class test]
set permissions configure
set allow-configura on-regexps [ "system ntp server .*" "system ntp server .* prefer" ];
set deny-configura on-regexps [ "system ntp server .* key .*" "system ntp server .* versio

[edit
protocols
rip]

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 23/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Statement
Hierarchy Regular Expressions

message-
size [edit system login class test]

message- set permissions conﬁgure

size set allow-conﬁgura on-regexps "protocols rip message-size .*"

set deny-conﬁgura on-regexps [ "protocols rip metric-in .*" "protocols rip route- meout

metric-in
metric-in [edit system login class test]
set permissions configure
set allow-configura on-regexps "protocols rip metric-in .*"
set deny-configura on-regexps [ "protocols rip message-size .*" "protocols rip route- me

route-
meout [edit system login class test]

route- set permissions conﬁgure

timeout set allow-conﬁgura on-regexps "protocols rip route- meout .*"

set deny-conﬁgura on-regexps [ "protocols rip metric-in .*" "protocols rip message-size .*

update-
interval [edit system login class test]

update- set permissions conﬁgure

interval set allow-conﬁgura on-regexps "protocols rip update-interval .*"

set deny-conﬁgura on-regexps [ "protocols rip metric-in .*" "protocols rip route- meout

Examples of Deﬁning Access Privileges Using allow-

configura on and deny-configura on Statements
You can define access privileges using a combina on of the following types of statements:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 24/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

permission ﬂags

allow-configuration and deny-configuration statements

The permission flags define the larger boundaries of what a person or login class can access and
control. The allow-configuration and deny-configuration statements take precedence
over permission flags and give the administrator finer control over exactly what the user has
access to.

This topic explains defining access privileges using allow-configuration and deny-
configuration statements by showing a series of examples of login class configura on using
these statements. Examples 1 through 3 use both permission flags and deny-configuration
statements to create login classes that allow users access to all except something. Each allow-
configuration or deny-configuration statement is configured with one or more regular
expressions to be allowed or denied.

No ce that permission bit and permission flag are used interchangeably.

Example 1
To create a login class that allows the user to conﬁgure everything except telnet parameters:

1. Set the user’s login class permission bit to all.

 

[edit system login]

user@host# set class all-except-telnet permissions all

2. Include the following deny-configuration statement.

 

[edit system login class all-except-telnet]

user@host# set deny-configuration "system services telnet"

Example 2

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 25/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

To create a login class that allows the user to conﬁgure everything except anything within any
login class whose name begins with “m”:

1. Set the user’s login class permission bit to all.

 

[edit system login]

user@host# set class all-except-login-class-m permissions all

2. Include the following deny-configuration statement.

 

[edit system login class all-except-login-class-m]

user@host# set deny-configuration "system login class m.*"

Example 3
This next example shows the crea on of a login class with the all permission bit that prevents
the user from edi ng a conﬁgura on or issuing commands (such as commit) at the [edit
system login class] or [edit system services] hierarchy levels:

To create a login class that allows the user to conﬁgure everything except at the [edit system
login class] or [edit system services] hierarchy levels:

1. Set the user’s login class permission bit to all.

 

[edit system login]

user@host# set class all-except-login-class-or-system-services permissions al

2. Include the following deny-configuration statement.

 
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 26/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

[edit system login class all-except-login-class-or-system-services]

user@host# set deny-configuration "(system login class) | (system services)"

The next two examples show how to use the allow-configuration and deny-
configuration statements to determine permissions inverse to each other for the [edit
system services] hierarchy level.

Example 4
To create a login class that allows the user to have full conﬁgura on privileges at the [edit
system services] hierarchy level and at only the [edit system services] hierarchy
level:

1. Set the user’s login class permission bit to configure.

 

[edit system login]

user@host# set class configure-only-system-services permissions configure

2. Include the following allow-configuration statement.

 

[edit system login class configure-only-system-services]

user@host# set allow-configuration "system services"

Example 5
To create a login class that allows the user full permissions for all conﬁgura on mode hierarchies
except the [edit system services] hierarchy level:

1. Set the user’s login class permission bit to all.

 
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 27/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

[edit system login]

user@host# set class all-except-system-services permissions all

2. Include the following deny-configuration statement.

 

[edit system login class all-except-system-services]

user@host# set deny-configuration "system services"

Example: Using Addi ve Logic With Regular Expressions to

Specify Access Privileges
This example shows how to use addi ve logic when using regular expressions to set up
conﬁgura on access privileges.

Requirements

Overview

Conﬁgura on

Examples

Requirements
This example uses the following hardware and so ware components:

One Juniper Networks J Series, M Series, MX Series, or T Series device

Junos OS Release 16.1 or later

There must be at least one user assigned to a login class.

There can be more than one login class, each with varying permission conﬁgura ons, and
more than one user on the device.

Overview
To control who can make configura on changes to the system, and what specifically they can
change, you can create regular expressions that indicate specific por ons of the configura on
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 28/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

hierarchy that users in a named user class are permi ed to access. For example, you can create
regular expressions that specify a group of rou ng instances that users are allowed to modify, and
prevent the users from making changes to any other rou ng instances, or to any other
conﬁgura on level.

You conﬁgure regular expressions using the allow-configuration-regexps and deny-

configuration-regexps statements. By default, deny-configuration-regexps
statements take precedence over allow-configuration-regexps statements for users in the
named user class to which they are applied.

If a conﬁgura on hierarchy appears in a deny-configuration-regexps statement for a

named user class, it is not visible to the users, regardless of the contents of the allow-
configuration-regexps statement. If a conﬁgura on hierarchy does not appear in a deny-
configuration-regexps statement, it is visible if it appears in an allow-configuration-
regexps statement, or if there is no allow-configuration-regexps statement conﬁgured
for the user class..

You can op onally change this default behavior so addi ve logic (that is, deny all by default / allow
some as speciﬁed) is used in regular expressions. When addi ve logic is enabled, the behavior of
exis ng regular expressions changes so that all conﬁgura on hierarchies are denied unless they
are included in an allow-configuration-regexps statement for the named user class.

Conﬁgura on
To enable addi ve logic for regular expressions:

1. To explicitly allow one or more individual conﬁgura on mode hierarchies, include the allow-
configuration-regexps statement at the [edit system login class class-
name] hierarchy level, conﬁgured with the regular expressions to be allowed.

 

[edit system login class class-name]

user@host# set allow-configuration-regexps "regular expression 1" "regular ex

2. Assign the login class to one or more users.

 

[edit system login]

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 29/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

user@host# set user username class class-name

3. Enable addi ve logic for regular expressions.

 

[edit system]
user@host# set regex-additive-logic

4. Commit your changes.

Users assigned this login class have access to the conﬁgura on hierarchies included in the
allow-configuration-regexps statement, but no others.

Examples
Using Regular Expressions with Addi ve Logic
Purpose
This sec on provides examples of regular expressions that use addi ve logic to give you ideas for
crea ng conﬁgura ons appropriate for your system.

Allow Speciﬁc Rou ng Instances

The following example login class includes a regular expression that allows conﬁgura on of rou ng
instances whose names start with CUST-VRF-; for example, CUST-VRF-1, CUST-VRF-25,
CUST-VRF-100, and so on:

 

[edit system login class class-name]

user@host# set permissions configure view view-configuration
user@host# set allow-configuration-regexps "routing-instances CUST-VRF-.* .*"

If the following statement is included in the configura on, it prevents the user from configuring
any other rou ng instances and denies access to any non-rou ng instance configura on hierarchy:

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 30/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

[edit system]
user@host# set regex-additive-logic

Allow BGP Peer Conﬁgura on Only

The following example login class includes a regular expression that allows conﬁgura on of BGP
peers:

 

[edit system login class class-name]

user@host# set permissions configure view view-configuration
user@host# set allow-configuration-regexps "protocols bgp group *"

If the following statement is included in the conﬁgura on, it prevents the user from making any
other changes, such as dele ng or disabling BGP statements:

 

[edit system]
user@host# set regex-additive-logic

Veriﬁca on

To verify that you have set the access privileges correctly:

1. Conﬁgure a login class and commit the changes.

2. Assign the login class to a username.

3. Log in as the username assigned with the new login class.

4. A empt to perform the conﬁgura ons that have been allowed.

You should be able to perform conﬁgura on changes to hierarchy levels and regular
expressions that have been allowed.

All other hierarchies should not be visible.

Any allowed or denied expressions should take precedence over any permissions granted
with the permissions statement.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 31/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Example: Conﬁguring User Permissions with Access Privileges

for Opera onal Mode Commands
This example shows how to conﬁgure custom login classes and assign access privileges for
opera onal mode commands. This enables users of the customized login class to execute only
those opera onal commands for which access privileges have been speciﬁed. This prevents
unauthorized users from execu ng sensi ve commands that could poten ally cause damage to
the network.

Requirements

Overview and Topology

Conﬁgura on

Veriﬁca on

Requirements
This example uses the following hardware and so ware components:

One Juniper Networks device

One TACACS+ (or RADIUS) server

Junos OS build running on the Juniper Networks device

Before you begin:

Establish a TCP connec on between the device and the TACACS+ server. In the case of the
RADIUS server, establish a UDP connec on between the device and the RADIUS server.
For informa on on conﬁguring a TACACS+ server, see Conﬁguring TACACS+ Authen ca on.

Overview and Topology

Each top-level command-line interface (CLI) command and each configura on statement in Junos
OS has an access privilege level associated with it. For each login class, you can explicitly deny or
allow the use of opera onal and configura on mode commands that would otherwise be
permi ed or not allowed by a privilege level. Users can execute only those commands and
configure and view only those statements for which they have access privileges. To configure

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 32/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

access privilege levels, include the permissions statement at the [edit system login
class class-name] hierarchy level.

The access privileges for each login class are defined by one or more permission flags specified in
the permissions statement. In addi on to this, you can specify extended regular expressions
with the following statements:

allow-commands and deny-commands—Allow or deny access to opera onal mode

commands only.

allow-configuration and deny-configuration—Allow or deny access to a par cular

conﬁgura on hierarchy only.

allow-configuration-regexps and deny-configuration-regexps—Allow or deny

access to a par cular conﬁgura on hierarchy using strings of regular expressions.

allow-commands-regexps and deny-commands-regexps—(TACACS+ authoriza on

only) Allow or deny access to a par cular command using strings of regular expressions.

The above statements deﬁne a user’s access privileges to individual opera onal mode commands,
conﬁgura on statements, and hierarchies. These statements take precedence over the login class
permissions set for a user.

Conﬁgura on Notes

When conﬁguring the allow-commands, deny-commands, allow-configuration, and

deny-configuration statements with access privileges, take the following into considera on:

You can include the allow/deny statement only once in each login class.

If the exact same command is conﬁgured under both allow-commands and deny-
commands statements, or both allow-configuration and deny-configuration
statements, then the allow opera on takes precedence over the deny statement.
For instance, with the following conﬁgura on, a user assigned to login class test is allowed to
install so ware using the request system software add command, although the deny-
commands statement also includes it:

 

[edit system login]

user@host# set class test permissions allow-commands "request system software
user@host# set class test permissions deny-commands "request system software

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 33/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

For instance, with the following conﬁgura on, a user assigned to login class test is allowed to
access the [edit system services] conﬁgura on hierarchy, although the deny-
configuration statement also includes it:

 

[edit system login]

user@host# set class test permissions allow-configuration "system services"
user@host# set class test permissions deny-configuration "system services"

If you specify a regular expression for allow-commands and deny-commands statements

with two different variants of a command, the longest match is always executed.
For instance, for the following configura on, a user assigned to test login class is allowed to
execute the commit synchronize command and not the commit command. This is
because commit-synchronize is the longest match between commit and commit-
synchronize, and it is specified for allow-commands.

 

[edit system login]

user@host# set class test allow-commands "commit-synchronize"
user@host# set class test deny-commands commit

Regular expressions for allow-commands and deny-commands statements can also include
the commit, load, rollback, save, status, and update commands.

Explicitly allowing configura on mode hierarchies or regular expressions using the allow-
configuration statement adds to the regular permissions set using the permissions
statement. Likewise, explicitly denying configura on mode hierarchies or regular expressions
using the deny-configuration statement removes permissions for the specified
configura on mode hierarchy, from the default permissions provided by the permissions
statement.
For example, for the following configura on, the login class user can edit the configura on at
the [edit system services] hierarchy level and issue configura on mode commands
(such as commit), in addi on to just entering the configura on mode using the configure
command, which is the permission specified by the configure permission flag:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 34/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

 

[edit system login]

user@host# set class test permissions configure allow-configuration "system s

Likewise, for the following configura on, the login class user can perform all opera ons
allowed by the all permissions flag, except issuing configura on mode commands (such as
commit) or modifying the configura on at the [edit system services] hierarchy level:

 

[edit system login]

user@host# set class test permissions all deny-configuration "system services

The allow/deny-configuration statements are mutually exclusive with the

allow/deny-configuration-regexps statements, and the allow-deny-commands
statements are mutually exclusive with the allow/deny-commands-regexps statements.
For example, you cannot conﬁgure both allow-configuration and allow-
configuration-regexps in the same login class.

If you have exis ng conﬁgura ons using the allow/deny-configuration or

allow/deny-commands statements, using the same conﬁgura on op ons with the
allow/deny-configuration-regexps or allow/deny-commands-regexps
statements might not produce the same results, as the search and match methods diﬀer in the
two forms of these statements.

To deﬁne access privileges to parts of the conﬁgura on hierarchy, specify the full paths in the
extended regular expressions with the allow-configuration and deny-configuration
statements. Use parentheses around an extended regular expression that connects two or
more expressions with the pipe (|) symbol.
For example:

 

[edit system login]

user@host# set class test deny-configuration "(system login class) | (system

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 35/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

If the regular expression contains any spaces, operators, or wildcard characters, enclose the
expression in quota on marks. Regular expressions are not case-sensi ve; for example,
allow-commands "show interfaces".

Modiﬁers such as set, log, and count are not supported within the regular expression string to
be matched. If a modiﬁer is used, then nothing is matched.

Incorrect conﬁgura on:

 

[edit system login]

user@host# set class test permission deny-commands "set protocols"

Correct conﬁgura on:

 

[edit system login]

user@host# set class test permission deny-commands protocols

Anchors are required when specifying complex regular expressions with the allow-
commands statement.

For example:

 

[edit system login]

user@host# set class test permissions allow-commands "(^monitor) | (^ping) |
OR
set class test permissions allow-commands "allow-commands ="^(monitor | ping

When specifying extended regular expressions using the allow/deny-commands and

allow/deny-configuration statements, each expression separated by a pipe (|) symbol
must be a complete standalone expression, and must be enclosed in parentheses ( ). Do not

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 36/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

use spaces between regular expressions separated with parentheses and connected with the
pipe (|) symbol.
For example:

 

[edit system login]

user@host# set class test allow-commands "(ping .*)|(traceroute .*)|(show .*)
user@host# set class test deny-configuration "(system login class)|(system se

When specifying extended regular expressions using the allow/deny-configuration-

regexps or allow/deny-commands-regexps statement, each expression enclosed within
quotes (") and separated by a space must be enclosed in angular brackets [ ].
For example:

 

[edit system login]

user@host# set class test allow-configuration-regexps [ "interfaces .* descri

You can use the * wildcard character when deno ng regular expressions. However, it must be
used as a por on of a regular expression. You cannot use [ * ] or [ .* ] alone.

You cannot conﬁgure the allow-configuration statement with the (interfaces

(description (|.*)) regular expression, as this evaluates to allow-configuration = .*
regular expression.

You can conﬁgure as many regular expressions as needed to be allowed or denied. Regular
expressions to be denied take precedence over conﬁgura ons to be allowed.

Topology

Figure 1: Conﬁguring TACACS+ Server Authen ca on

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 37/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Figure 1 illustrates a simple topology, where Router R1 is a Juniper Networks device and has a
TCP connec on established with a TACACS+ server.

In this example, R1 is conﬁgured with three customized login classes—Class1, Class2, and Class3—
for specifying access privileges with extended regular expressions using the allow-commands
and deny-commands statements diﬀerently.

The purpose of each login class is as follows:

Class1—Deﬁnes access privileges for the user with the allow-commands statement only.
This login class provides operator-level user permissions, and should provide authoriza on for
only reboo ng the device.

Class2—Deﬁnes access privileges for the user with the deny-commands statement only. This
login class provides operator-level user permissions, and should deny access to set
commands.

Class3—Deﬁnes access privileges for the user with both the allow-commands and deny-
commands statements. This login class provides superuser-level user permissions, and should
provide authoriza on for accessing interfaces and viewing device informa on. It should also
deny access to edit and configure commands.

Router R1 has three diﬀerent users, User1, User2, and User3, assigned to Class1, Class2, and
Class3 login classes, respec vely.

Configura on
CLI Quick Configura on
To quickly configure this example, copy the following commands, paste them into a text file,
remove any line breaks, change any details necessary to match your network configura on, copy
and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from
configura on mode.

 

set system authentication-order tacplus

set system authentication-order radius
set system authentication-order password
set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 38/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

set system tacplus-options enhanced-accounting

set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions clear
set system login class Class1 permissions network
set system login class Class1 permissions reset
set system login class Class1 permissions trace
set system login class Class1 permissions view
set system login class Class1 allow-commands "request system reboot"
set system login class Class2 permissions clear
set system login class Class2 permissions network
set system login class Class2 permissions reset
set system login class Class2 permissions trace
set system login class Class2 permissions view
set system login class Class2 deny-commands set
set system login class Class3 permissions all
set system login class Class3 allow-commands configure
set system login class Class3 deny-commands .*
set system login user User1 uid 2001
set system login user User1 class Class1
set system login user User1 authentication encrypted-password "$ABC123"
set system login user User2 uid 2002
set system login user User2 class Class2
set system login user User2 authentication encrypted-password "$ABC123"
set system login user User3 uid 2003
set system login user User3 class Class3
set system login user User3 authentication encrypted-password "$ABC123"
set system syslog file messages any any

Conﬁguring Authen ca on Parameters for Router R1

Step-by-Step Procedure
The following example requires that you navigate various levels in the conﬁgura on hierarchy. For
informa on about naviga ng the CLI, see Using the CLI Editor in Conﬁgura on Mode in the CLI
User Guide.

To conﬁgure Router R1 authen ca on:

1. Conﬁgure the order in which authen ca on should take place for R1. In this example,
TACACS+ server authen ca on is ﬁrst, followed by RADIUS server authen ca on, and then

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 39/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

the local password.

 

[edit system]
user@R1# set authentication-order tacplus
user@R1# set authentication-order radius
user@R1# set authentication-order password

2. Establish R1 connec on with the TACACS+ server.

 

[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66

3. Conﬁgure RADIUS server authen ca on parameters.

 

[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting

4. Conﬁgure R1 accoun ng conﬁgura on parameters.

 

[edit system]
user@R1# set accounting events login
user@R1# set accounting events change-log
user@R1# set accounting events interactive-commands
user@R1# set accounting traceoptions file auditlog
user@R1# set accounting traceoptions flag all

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 40/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Conﬁguring Access Privileges with allow-commands Statement Only (Class1)

Step-by-Step Procedure
To specify regular expressions using the allow-commands statement only:

1. Conﬁgure Class1 custom login class and assign operator-level user permissions. For
informa on on the predeﬁned system login classes, see the Junos OS Login Classes Overview.

 

[edit system login]

user@R1# set class Class1 permissions clear
user@R1t# set class Class1 permissions network
user@R1# set class Class1 permissions reset
user@R1# set class Class1 permissions trace
user@R1# set class Class1 permissions view

2. Specify the command to enable reboo ng of R1 in the allow-commands statement.

 

[edit system login]

user@R1# set class Class1 allow-commands "request system reboot"

3. Conﬁgure the user account for the Class1 login class.

 

[edit system login]

user@R1# set user User1 uid 2001
user@R1# set user User1 class Class1
user@R1# set user User1 authentication encrypted-password "$ABC123"

Conﬁguring Access Privileges with deny-commands Statement Only (Class2)

Step-by-Step Procedure

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 41/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

To specify regular expressions using the deny-commands statement only:

1. Conﬁgure the Class2 custom login class and assign operator-level user permissions. For
informa on on the predeﬁned system login classes, see the Junos OS Login Classes Overview.

 

[edit system login]

user@R1# set class Class1 permissions clear
user@R1# set class Class1 permissions network
user@R1# set class Class1 permissions reset
user@R1# set class Class1 permissions trace
user@R1# set class Class1 permissions view

2. Disable execu on of any set commands in the deny-commands statement.

 

[edit system login]

user@R1# set class Class1 deny-commands "set"

3. Conﬁgure the user account for the Class2 login class.

 

user@R1# set login user User2 uid 2002

user@R1# set login user User2 class Class2
user@R1# set login user User2 authentication encrypted-password "$ABC123"

Conﬁguring Access Privileges with Both allow-commands and deny-commands

Statements (Class3)
Step-by-Step Procedure
To specify regular expressions using both the allow-commands and deny-commands
statements:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 42/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

1. Conﬁgure the Class3 custom login class and assign superuser-level user permissions. For
informa on on the predeﬁned system login classes, see the Junos OS Login Classes Overview.

 

[edit system login]

user@R1# set class Class3 permissions all

2. Specify the commands to enable only conﬁgure commands in the allow-commands

statement.

 

[edit system login]

user@R1# set class Class3 allow-commands configure

3. Disable execu on of all commands in the deny-commands statement.

 

[edit system login]

user@R1# set class Class3 deny-commands .*

4. Conﬁgure the user account for the Class1 login class.

 

[edit system login]

user@R1# set login user User3 uid 2003
user@R1# set login user User3 class Class3
user@R1# set login user User3 authentication encrypted-password "$ABC123"

Results

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 43/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

From configura on mode, confirm your configura on by entering the show system command. If
the output does not display the intended configura on, repeat the instruc ons in this example to
correct the configura on.

 

user@R1# show system

authentication-order [ tacplus radius password ];
radius-server {
10.209.1.66 secret "$ABC123";
}
tacplus-server {
10.209.1.66;
}
radius-options {
enhanced-accounting;
}
tacplus-options {
enhanced-accounting;
}
accounting {
events [ login change-log interactive-commands ];
traceoptions {
file auditlog;
flag all;
}
destination {
tacplus {
server {
10.209.1.66;
}
}
}
}
login {
class Class1 {
permissions [ clear network reset trace view ];
allow-commands "request system reboot";
}
class Class2 {
permissions [ clear network reset trace view ];
deny-commands set;
}
class Class3 {

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 44/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

permissions all;
allow-commands configure;
deny-commands .*;
}
user User1 {
uid 2001;
class Class1;
authentication {
encrypted-password "$ABC123";
}
}
user User2 {
uid 2002;
class Class2;
authentication {
encrypted-password "$ABC123";
}
}
user User3 {
uid 2003;
class Class3;
authentication {
encrypted-password “$ABC123”;
}
}
}
syslog {
file messages {
any any;
}
}

Verifica on
Log in as the username assigned with the new login class, and confirm that the configura on is
working properly.

Verifying Class1 Conﬁgura on

Verifying Class2 Conﬁgura on

Verifying Class3 Conﬁgura on

Verifying Class1 Conﬁgura on

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 45/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Purpose
Verify that the permissions and commands allowed in the Class1 login class are working.

Ac on

From opera onal mode, run the show system users command.

User1@R1> show system users

 

12:39PM up 6 days, 23 mins, 6 users, load averages: 0.00, 0.01, 0.00

USER TTY FROM LOGIN@ IDLE WHAT
User1 p0 abc.example.net 12:34AM 12:04 cli
User2 p1 abc.example.net 12:36AM 12:02 -cli (cli)
User3 p2 abc.example.net 10:41AM 11 -cli (cli)

From opera onal mode, run the request system reboot command.

User1@R1> request system ?

 

Possible completions:
reboot Reboot the system

Meaning
The Class1 login class to which User1 is assigned has the operator-level user permissions, and is
allowed to execute the request system reboot command.

The predefined operator login class has the following permission flags specified:

clear—Can clear (delete) informa on learned from the network that is stored in various
network databases by using the clear commands.

network—Can access the network by using the ping, ssh, telnet, and traceroute
commands.

reset—Can restart so ware processes by using the restart command and can conﬁgure
whether so ware processes are enabled or disabled at the [edit system processes]
hierarchy level.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 46/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

trace—Can view trace file se ngs and configure trace file proper es.

view—Can use various commands to display current system-wide, rou ng table, and protocol-
speciﬁc values and sta s cs. Cannot view the secret conﬁgura on.

For the Class1 login class, in addi on to the above-men oned user permissions, User1 can
execute the request system reboot command. The ﬁrst output displays the view permissions
as an operator, and the second output shows that the only request command that User1 can
execute as an operator is the request system reboot command.

Verifying Class2 Conﬁgura on

Purpose
Verify that the permissions and commands allowed for the Class2 login class are working.

Ac on

From the opera onal mode, run the ping command.

User2@R1> ping 10.209.1.66

 

ping 10.209.1.66
PING 10.209.1.66 (10.209.1.66): 56 data bytes
64 bytes from 10.209.1.66: icmp_seq=0 ttl=52 time=212.521 ms
64 bytes from 10.209.1.66: icmp_seq=1 ttl=52 time=212.844 ms
64 bytes from 10.209.1.66: icmp_seq=2 ttl=52 time=211.304 ms
64 bytes from 10.209.1.66: icmp_seq=3 ttl=52 time=210.963 ms
^C
--- 10.209.1.66 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 210.963/211.908/212.844/0.792 ms

From the CLI prompt, check the available permissions.

User2@R1> ?

 

Possible completions:
clear Clear information in the system
file Perform file operations
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 47/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

help Provide help information

load Load information from file
monitor Show real-time debugging information
mtrace Trace multicast path from source to receiver
op Invoke an operation script
ping Ping remote target
quit Exit the management session
request Make system-level requests
restart Restart software process
save Save information to file
show Show system information
ssh Start secure shell on another host
start Start shell
telnet Telnet to another host
test Perform diagnostic debugging
traceroute Trace route to remote host

From the CLI prompt, execute any set command.

User2@R1> set

 

^
unknown command.

Meaning
The Class2 login class to which User2 is assigned has the operator-level user permissions, and is
denied access to all set commands. This is displayed in the command outputs.

The permission flags specified for the predefined operator login class are the same as that of
Class1.

Verifying Class3 Conﬁgura on

Purpose
Verify that the permissions and commands allowed for the Class3 login class are working.

Ac on

From the CLI prompt, check the available permissions.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 48/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

User3@R1> ?

 

Possible completions:
configure Manipulate software configuration information

From the opera onal mode, enter conﬁgura on mode.

User3@R1> configure

 

Entering configuration mode

[edit]
User3@R1#

Meaning
The Class3 login class to which User3 is assigned has the superuser (all) user permissions, but is
allowed to execute the configure command only, and is denied access to all other opera onal
mode commands. Because the regular expressions speciﬁed in the allow/deny-commands
statements take precedence over the user permissions, User3 on R1 has access only to
conﬁgura on mode, and is denied access to all other opera onal mode commands.

Example: Conﬁguring User Permissions with Access Privileges

for Configura on Statements and Hierarchies
This example shows how to configure custom login classes and assign access privileges to por ons
of the configura on hierarchy. This enables users of the customized login class to execute only
those configura on statements and hierarchies for which access privileges have been specified.
This prevents unauthorized users from accessing device configura ons that could poten ally
cause damage to the network.

Requirements

Overview and Topology

Conﬁgura on

Veriﬁca on
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 49/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Requirements
This example uses the following hardware and so ware components:

One Juniper Networks device

One TACACS+ (or RADIUS) server

Junos OS build running on the Juniper Networks device

Before you begin:

Overview and Topology

allow-commands and deny-commands—Allow or deny access to opera onal mode

commands.

allow-configuration and deny-configuration—Allow or deny access to parts of the

configura on hierarchy.
These statements perform slower matching, with more flexibility, especially in wildcard
matching. However, it can take a very long me to evaluate all of the possible statements if a
great number of full-path regular expressions or wildcard expressions are configured, possibly
impac ng performance.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 50/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

allow-configuration-regexps and deny-configuration-regexps—Allow or deny

access to a par cular configura on hierarchy using strings of regular expressions. These
statements are similar to allow-configuration and deny-configuration statements,
except that in the allow/deny-configuration-regexps statements you can configure
sets of strings in which the strings include spaces when using the first set of statements.

The above statements deﬁne a user’s access privileges to individual opera onal mode commands,
conﬁgura on statements, and hierarchies. These statements take precedence over a login class
permissions bit set for a user.

Difference between allow/deny-configura on and allow/deny-configura on-regexps statements

The allow-configuration and deny-configuration statements were introduced before

Junos OS Release 7.4. The allow-configuration-regexps and deny-configuration-
regexps statements were introduced in Junos OS Release 11.2. In Junos OS Release 11.4, the
allow-configuration and deny-configuration statements were deprecated, but because
these statements were useful in execu ng simple conﬁgura ons, these statements were
undeprecated in Junos OS Release 11.4R6, and star ng with the 11.4R6 release, both the
allow/deny-configuration and the allow/deny-configuration-regexps statements
are supported.

The allow/deny-configuration-regexps statements split up the regular expression into

tokens and match each piece against each part of the specified configura on’s full path, whereas
the allow/deny-configuration statements match against the full string. For allow/deny-
configuration-regexps statements, you configure a set of strings in which each string is a
regular expression, with spaces between the terms of the string. This provides very fast matching,
but with less flexibility. For specifying wildcard expressions you must set up wildcards for each
token of the space-delimited string you want to match, and this makes it more tedious to use
wildcard expressions for these statements.

For example:

Regular expression matching one token using allow-conﬁgura on-regexps

This example shows that options is the only matched expression against the ﬁrst token of
the statement.

 

[edit system]
login {

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 51/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

class test {
permissions configure;
allow-configuration-regexps .*options;
}
}

The above conﬁgura on matches the following statements:

set policy-op ons condi on condition dynamic-db

set rou ng-op ons sta c route static-route next-hop next-hop

set event-op ons generate-event event me-interval seconds

The above conﬁgura on does not match the following statements:
system host-name host-op ons

interfaces interface-name descrip on op ons

Regular expression matching three tokens using allow-conﬁgura on-regexps

This example shows that ssh is the only matched expression against the third token of the
statement.

 

[edit system]
login {
class test {
permissions configure;
allow-configuration-regexps ".* .* .*ssh";
}
}

In the above example, the three tokens include .*, .*, and .*ssh, respec vely.
The above conﬁgura on matches the following statements:
system host-name hostname-ssh

system services ssh

system services outbound-ssh

The above conﬁgura on does not match the following statement:
interfaces interface-name descrip on ssh

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 52/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

You can restrict configura on access easily using the deny-configuration statement as
compared to using the deny-configuration-regexps statement. Table 6 illustrates the use of
both the deny-configuration and deny-configuration-regexps statements in different
configura ons to achieve the same result of restric ng access to a par cular configura on.


Table 6: Restric ng Configura on Access Using deny-configur on and deny-configura on-regexps
Statements

Configura on Using: deny-configura on Using: deny-configura on-regexps

Denied

xnm-ssl
[edit system] [edit system]
login { login {
class test { class test {
permissions configure; permissions configure;
allow-configura on .*; allow-configura on .*;
deny-configura on .*xnm-ssl; deny-configura on-regexps ".* .* .*-ssl"";
} }
} }

ssh
[edit system] [edit system]
login { login {
class test { class test {
permissions configure; permissions configure;
allow-configura on .*; allow-configura on .*;
deny-configura on ".*ssh"; deny-configura on-regexps ".*ssh";
} deny-configura on-regexps ".* .*ssh";
} deny-configura on-regexps ".* .* .*ssh";
}
}

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 53/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Although the allow/deny-configuration statements are also useful when simple

conﬁgura on is desired, the allow/deny-configuration-regexps statements provide
be er performance and overcome the ambiguity that existed when combining expressions set in
the allow/deny-configuration statements.

NOTE The allow/deny-configuration and allow/deny-configuration-

regexps statements are mutually exclusive and cannot be configured together for a login
class. At a given point in me, a login class can include either the allow/deny-
configuration statement, or the allow/deny-configuration-regexps
statement. If you have exis ng configura ons using the allow/deny-configuration
statements, using the same configura on op ons with the allow/deny-
configuration-regexps statements might not produce the same results, as the
search and match methods differ in the two forms of these statements.

Conﬁgura on Notes

When conﬁguring the allow-configuration, deny-configuration, allow-

configuration-regexps, and deny-configuration-regexps statements with access
privileges, take the following into considera on:

You can include one deny-configuration and one allow-configuration statement in

each login class.

The allow/deny-configuration and allow/deny-configuration-regexps

statements are mutually exclusive and cannot be configured together for a login class. At a
given point in me, a login class can include either the allow/deny-configuration
statement, or the allow/deny-configuration-regexps statement. If you have exis ng
configura ons using the allow/deny-configuration statements, using the same
configura on op ons with the allow/deny-configuration-regexps statements might
not produce the same results, as the search and match methods differ in the two forms of
these statements.

using the deny-configuration statement removes permissions for the speciﬁed

configura on mode hierarchy, from the default permissions provided by the permissions
statement.
For example, for the following configura on, the login class user can edit the configura on at
the [edit system services] hierarchy level and issue configura on mode commands
(such as commit), in addi on to just entering the configura on mode using the configure
command, which is the permission specified by the configure permission flag:

 

[edit system login]

user@host# set class test permissions configure allow-configuration "system s

 

[edit system login]

user@host# set class test permissions all deny-configuration "system services

 

[edit system login]

user@host# set class test deny-configuration "(system login class)|(system se

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 55/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

When specifying extended regular expressions using the allow/deny-commands and

allow/deny-configuration statements, each expression separated by a pipe (|) symbol
must be a complete standalone expression, and must be enclosed in parentheses ( ). Do not
use spaces between regular expressions separated with parentheses and connected with the
pipe (|) symbol.
For example:

 

[edit system login]

user@host# set class test allow-commands "(ping .*)|(traceroute .*)|(show .*)
user@host# set class test deny-configuration "(system login class)|(system se

When specifying extended regular expressions using the allow-deny-configuration-

regexps statement, each expression enclosed within quotes (") and separated by a space
must be enclosed in angular brackets [ ].
For example:

 

[edit system login]

user@host# set class test allow-configuration-regexps [ "interfaces .* descri

If the exact same command is configured under both allow-configuration and deny-
configuration statements, then the allow opera on takes precedence over the deny
statement.
For instance, with the following configura on, a user assigned to login class test is allowed to
access the [edit system services] configura on hierarchy, although the deny-
configuration statement also includes it:

 

[edit system login]

user@host# set class test permissions allow-configuration "system services"
user@host# set class test permissions deny-configuration "system services"

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 56/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

For instance, if a certain command or conﬁgura on is allowed, for example, using permission
all, then we can use the deny-configuration command to deny access to a par cular
hierarchy.

Modiﬁers such as set, log, and count are not supported within the regular expression string to
be matched. If a modiﬁer is used, then nothing is matched.

Incorrect conﬁgura on:

 

[edit system login]

user@host# set class test permission deny-configuration "set protocols"

Correct conﬁgura on:

 

[edit system login]

user@host# set class test permission deny-configuration protocols

You can use the * wildcard character when deno ng regular expressions. However, it must be
used as a por on of a regular expression. You cannot use [ * ] or [ .* ] alone.

You cannot conﬁgure the allow-configuration statement with the (interfaces

(description (|.*)) regular expression, as this evaluates to allow-configuration = .*
regular expression.

You can conﬁgure as many regular expressions as needed to be allowed or denied. Regular
expressions to be denied take precedence over conﬁgura ons to be allowed.

Topology

Figure 2: Conﬁguring TACACS+ Server Authen ca on

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 57/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Figure 2 illustrates a simple topology, where Router R1 is a Juniper Networks device and has a
TCP connec on established with a TACACS+ server.

In this example, R1 is conﬁgured with two customized login classes—Class1 and Class2—for
specifying access privileges with extended regular expressions using the allow-
configuration, deny-configuration, allow-configuration-regexps, and deny-
configuration-regexps statements diﬀerently.

The purpose of the login classes is as follows:

Class1—Define access privileges for the user with the allow-configuration and deny-
configuration statements. This login class should provide access to configure interfaces
hierarchy only, and deny all other access on the device. To do this, the user permissions should
include configure to provide configura on access. In addi on to this, the allow-
configuration statement should allow interfaces configura on, and the deny-
configuration statement should deny access to all other configura ons. Because the allow
statement takes precedence over the deny statement, the users assigned to the Class1 login
class can access only the [edit interfaces] hierarchy level.

Class2—Deﬁne access privileges for the user with the allow-configuration-regexps

and deny-configuration-regexps statements. This login class provides superuser-level
user permissions, and in addi on, explicitly allows conﬁgura on under mul ple hierarchy
levels for interfaces. It also denies conﬁgura on access to the [edit system] and [edit
protocols] hierarchy levels.

Router R1 has two users, User1 and User2, assigned to the Class1 and Class2 login classes,
respec vely.

 

set system authentication-order tacplus

set system authentication-order radius
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 58/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

set system authentication-order password

set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting
set system tacplus-options enhanced-accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions configure
set system login class Class1 allow-configuration "interfaces .* unit .*"
set system login class Class1 deny-configuration .*
set system login class Class2 permissions all
set system login class Class2 allow-configuration-regexps [ "interfaces .* descr
set system login class Class2 deny-configuration-regexps [ "system" "protocols"
set system login user User1 uid 2004
set system login user User1 class Class1
set system login user User1 authentication encrypted-password "$ABC123"
set system login user User2 uid 2006
set system login user User2 class Class2
set system login user User2 authentication encrypted-password "$ABC123"
set system syslog file messages any any

Conﬁguring Authen ca on Parameters for Router R1

To conﬁgure Router R1 authen ca on:

1. Conﬁgure the order in which authen ca on should take place for R1. In this example,
TACACS+ server authen ca on is ﬁrst, followed by RADIUS server authen ca on, then the
local password.

 

[edit system]
user@R1# set authentication-order tacplus

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 59/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

user@R1# set authentication-order radius

user@R1# set authentication-order password

2. Establish R1 connec on with the TACACS+ server.

 

[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66

3. Conﬁgure RADIUS server authen ca on parameters.

 

[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting

4. Conﬁgure the R1 accoun ng conﬁgura on parameters.

 

Configuring Access Privileges with allow-configura on and deny-configura on

Statements (Class1)
Step-by-Step Procedure

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 60/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

To specify regular expressions using the allow-configuration and deny-configuration

statements:

1. Conﬁgure the Class1 custom login class and assign conﬁgura on user permissions.

 

[edit system login]

user@R1# set class Class1 permissions configure

2. Specify the regular expression in the allow-configuration statement to allow

conﬁgura on at the [edit interfaces] hierarchy level. To allow set commands at the
[edit interfaces] hierarchy level, the regular expression used is interfaces .* unit
.*.

 

[edit system login]

user@R1# set class Class1 allow-configuration "interfaces .* unit .*"

3. Specify the regular expression in the deny-configuration statement to disable all

conﬁgura on access. The regular expression used to deny all conﬁgura on access is .*.

 

[edit system login]

user@R1# set class Class1 deny-configuration .*

4. Conﬁgure the user account for the Class1 login class.

 

[edit system login]

user@R1# set system login user User1 uid 2004
user@R1# set system login user User1 class Class1
user@R1# set system login user User1 authentication encrypted-password "$ABC1

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 61/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Conﬁguring Access Privileges with allow-conﬁgura on-regexps and deny-

conﬁgura on-regexps Statements (Class2)
Step-by-Step Procedure
To specify regular expressions using the allow-configuration-regexps and deny-
configuration-regexps statements:

1. Conﬁgure the Class2 custom login class and assign superuser (all) user permissions. For
informa on on the predeﬁned system login classes, see Junos OS Login Classes Overview.

 

[edit system login]

user@R1# set class Class2 permissions all

2. Specify the regular expression to allow access to mul ple hierarchies under the [edit
interfaces] hierarchy level.

 

[edit system login]

user@R1# set class Class2 allow-configuration-regexps [ "interfaces .* descri

3. Specify the regular expression to deny conﬁgura on at the [edit system] and [edit
protocols] hierarchy levels.

 

[edit system login]

user@R1# set class Class2 deny-configuration-regexps [ "system" "protocols" ]

4. Conﬁgure the user account for the Class2 login class.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 62/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

 

[edit system login]

user@R1# set system login user User2 uid 2006
user@R1# set system login user User2 class Class2
user@R1# set system login user User2 authentication encrypted-password "$ABC1

Results
From configura on mode, confirm your configura on by entering the show system command. If
the output does not display the intended configura on, repeat the instruc ons in this example to
correct the configura on.

 

user@R1# show system

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 63/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

}
}
login {
class Class1 {
permissions configure;
allow-configuration "interfaces .* unit .*";
deny-configuration .*;
}
class Class2 {
permissions all;
allow-configuration-regexps [ "interfaces .* description .*" "interfaces .*
deny-configuration-regexps [ "system" "protocols" ];
}
user User1 {
uid 2001;
class Class1;
authentication {
encrypted-password "$ABC123";
}
}
user User2 {
uid 2002;
class Class2;
authentication {
encrypted-password "$ABC123";
}
}
}
syslog {
file messages {
any any;
}
}

Verifica on
Log in as the username assigned with the new login class, and confirm that the configura on is
working properly.

Verifying Class1 Conﬁgura on

Verifying Class2 Conﬁgura on

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 64/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Verifying Class1 Conﬁgura on

Purpose
Verify that the permissions allowed in the Class1 login class are working.

Ac on

From the CLI prompt, check the available permissions.

User1@R1> ?

 

Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
load Load information from file
op Invoke an operation script
quit Exit the management session
request Make system-level requests
save Save information to file
set Set CLI properties, date/time, craft interface message
start Start shell
test Perform diagnostic debugging

From the conﬁgura on mode, check the available conﬁgura on permissions.

User1@R1# edit ?

 

Possible completions:
> interfaces Interface configuration

Meaning
User1 has configure user permissions seen in the first output, and the only configura on access
allowed for User1 is at the interfaces hierarchy level. All other configura on is denied, as seen in
the second output.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 65/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Verifying Class2 Conﬁgura on

Purpose
Verify that the Class2 conﬁgura on is working.

Ac on
From the conﬁgura on mode, access the interfaces conﬁgura on.

 

[edit interfaces]
User2@R1# set ?
Possible completions:
<interface-name> Interface name
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
ge-0/0/3 Interface name
> interface-range Interface ranges configuration
> interface-set Logical interface set configuration
> traceoptions Interface trace options

From the conﬁgura on mode, access the system and protocols conﬁgura on hierarchies.

User2@R1# edit system

 

Syntax error, expecting <statement> or <identifier>.

User2@R1# edit protocols

 

Syntax error, expecting <statement> or <identifier>.

Meaning

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 66/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

User2 has permissions to conﬁgure interfaces of R1, but the [edit system] and [edit
protocols] hierarchy levels are denied access, as seen in the output.

See also
Regular Expressions for Allowing and Denying Junos OS Opera onal Mode Commands,
Conﬁgura on Statements, and Hierarchies

Related Documenta on
Junos OS Login Classes Overview

Junos OS User Accounts

ward Previous Page Next Page 

Company

About Us

Careers

Corporate Responsibility

Investor Rela ons

Newsroom

Events

Image Library

Partners

Partner Program

Find a Partner

Become a Partner

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 67/68
6/12/2019 Junos OS User Access Privileges - TechLibrary - Juniper Networks

Partner Login

Get updates from Juniper

Contacts
Feedback
Site Map
Privacy Policy
Legal No ces

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-example-configuring-user-permissions-with… 68/68

Extreme Privacy What It Takes To Disappear
93% (15)
Extreme Privacy What It Takes To Disappear
514 pages
How To Download Documents From Scribd For Free - 7 Methods
67% (9)
How To Download Documents From Scribd For Free - 7 Methods
25 pages
DNM Bible
100% (2)
DNM Bible
117 pages
Turbo Tax Method Step by Step
96% (28)
Turbo Tax Method Step by Step
19 pages
The Hypnotic Writer's Swipe File
100% (22)
The Hypnotic Writer's Swipe File
88 pages
Extreme Privacy - Linux Devices (Michael Bazzell)
100% (1)
Extreme Privacy - Linux Devices (Michael Bazzell)
90 pages
Android Secret Codes PDF Book
100% (10)
Android Secret Codes PDF Book
8 pages
Top 800+ Latest Android Secret Codes - Hidden Codes 2019
100% (10)
Top 800+ Latest Android Secret Codes - Hidden Codes 2019
12 pages
FBI-iPhone Forensics Manual
100% (8)
FBI-iPhone Forensics Manual
28 pages
Unix Shell Scripting and Text Processing Tools
100% (1)
Unix Shell Scripting and Text Processing Tools
2 pages
Michael Bazzell - Open Source Intelligence Techniques - Resources For Searching and Analyzing Online Information-Createspace Independent Publishing Platform (2021)
100% (10)
Michael Bazzell - Open Source Intelligence Techniques - Resources For Searching and Analyzing Online Information-Createspace Independent Publishing Platform (2021)
669 pages
Secret Code List For Android and All Samsung - Code Exercise
100% (2)
Secret Code List For Android and All Samsung - Code Exercise
6 pages
Verizon Sauce??
No ratings yet
Verizon Sauce??
1 page
Linux Magazine USA Issue 280, March 2024
100% (2)
Linux Magazine USA Issue 280, March 2024
100 pages
HP Networking Guide To Hardening Comware-Based Devices
No ratings yet
HP Networking Guide To Hardening Comware-Based Devices
40 pages
How To Legally Unlock Icloud PDF
50% (2)
How To Legally Unlock Icloud PDF
19 pages
Instructions CAT ET 2019A
No ratings yet
Instructions CAT ET 2019A
1 page
Free Robux Generator 2021 Free Robux Generator No Human Verification 2021 Get Free Robux Codes Daily ( (How To Earn 450,000 Free Robux) )
50% (4)
Free Robux Generator 2021 Free Robux Generator No Human Verification 2021 Get Free Robux Codes Daily ( (How To Earn 450,000 Free Robux) )
48 pages
Compilers Principles, Techniques, & Tools - Lecture Notes, Study Material and Important Questions, Answers
No ratings yet
Compilers Principles, Techniques, & Tools - Lecture Notes, Study Material and Important Questions, Answers
18 pages
Extreme Privacy - Mobile Devices
100% (5)
Extreme Privacy - Mobile Devices
135 pages
Solidifier Command Line Reference Guide (For Integrity Monitor and Change Control)
No ratings yet
Solidifier Command Line Reference Guide (For Integrity Monitor and Change Control)
26 pages
OS Concepts Chapter 2 Summary
100% (1)
OS Concepts Chapter 2 Summary
2 pages
Bash Commands
100% (1)
Bash Commands
5 pages
Hacking University Computer Hacking and Mobile Hacking 2 Manuscript Bundle
100% (1)
Hacking University Computer Hacking and Mobile Hacking 2 Manuscript Bundle
95 pages
How To Root Android Phone Without PC
No ratings yet
How To Root Android Phone Without PC
13 pages
Junos OS User Access Privileges - TechLibrary - Juniper Networks PDF
No ratings yet
Junos OS User Access Privileges - TechLibrary - Juniper Networks PDF
68 pages
01 System Basics and Management
No ratings yet
01 System Basics and Management
127 pages
Switch 5500-EI CG V03.03.02
No ratings yet
Switch 5500-EI CG V03.03.02
1,072 pages
CLI Overview
No ratings yet
CLI Overview
29 pages
HP Switch Software - Using The CLI
No ratings yet
HP Switch Software - Using The CLI
9 pages
Using The Command Line Interface (CLI)
No ratings yet
Using The Command Line Interface (CLI)
22 pages
Ruijie RG s6500 Series Switch Rgos Configuration Guide Release 11.05b9p66 Compressed
No ratings yet
Ruijie RG s6500 Series Switch Rgos Configuration Guide Release 11.05b9p66 Compressed
2,985 pages
Module 5 Assigning Administrative Roles
No ratings yet
Module 5 Assigning Administrative Roles
17 pages
Cisco CLI
No ratings yet
Cisco CLI
30 pages
Juniper Commands
No ratings yet
Juniper Commands
6 pages
H3c - 01-CLI Commands - 641883 - 1285 - 0
No ratings yet
H3c - 01-CLI Commands - 641883 - 1285 - 0
8 pages
01-03 Basic Configurations Commands PDF
No ratings yet
01-03 Basic Configurations Commands PDF
286 pages
Cisco MDS User Id
No ratings yet
Cisco MDS User Id
22 pages
CH 2
No ratings yet
CH 2
57 pages
Using The Command-Line Interface
No ratings yet
Using The Command-Line Interface
30 pages
Cisco Overview
No ratings yet
Cisco Overview
30 pages
CF Cli Basics
No ratings yet
CF Cli Basics
30 pages
(GROUP-1) CLI in Multiprocessing OS
No ratings yet
(GROUP-1) CLI in Multiprocessing OS
22 pages
Ip10g Cli User Guide 662
No ratings yet
Ip10g Cli User Guide 662
97 pages
os_ch03
No ratings yet
os_ch03
30 pages
Basic Switch Configuration Guide With Examples-GRNG
No ratings yet
Basic Switch Configuration Guide With Examples-GRNG
12 pages
S8600 Series Switch Configuration Guide v10.4 (3b7)
No ratings yet
S8600 Series Switch Configuration Guide v10.4 (3b7)
2,268 pages
1300 Cli
No ratings yet
1300 Cli
1,362 pages
User Authority Management Software User Manual
No ratings yet
User Authority Management Software User Manual
10 pages
01-01 Overview of CLIs
No ratings yet
01-01 Overview of CLIs
20 pages
Cisco Note
No ratings yet
Cisco Note
43 pages
01-02 Basic Configurations Commands
No ratings yet
01-02 Basic Configurations Commands
612 pages
Application Note 3ADR010315
No ratings yet
Application Note 3ADR010315
21 pages
Linux Interview QA PEP Input
No ratings yet
Linux Interview QA PEP Input
80 pages
StoneOS CLI User Guide Monitor 5.5R6
No ratings yet
StoneOS CLI User Guide Monitor 5.5R6
103 pages
01 Basic Configuration
No ratings yet
01 Basic Configuration
219 pages
Fedora
No ratings yet
Fedora
18 pages
Setting Up Security
No ratings yet
Setting Up Security
13 pages
Jncia Study Guide
No ratings yet
Jncia Study Guide
41 pages
Huawei VRP Basics
No ratings yet
Huawei VRP Basics
6 pages
SU01-Logon Data-User Type
No ratings yet
SU01-Logon Data-User Type
2 pages
Mang-May-Tinh-Nang-Cao - cn2 - Lab4 - (Cuuduongthancong - Com)
No ratings yet
Mang-May-Tinh-Nang-Cao - cn2 - Lab4 - (Cuuduongthancong - Com)
13 pages
01RG-S29 Series Switch RGOS Configuration Guide, Release 11.4 (1) B12 - System Configuration
No ratings yet
01RG-S29 Series Switch RGOS Configuration Guide, Release 11.4 (1) B12 - System Configuration
207 pages
Avocent Umg Appliance Command Reference Guide
No ratings yet
Avocent Umg Appliance Command Reference Guide
18 pages
JUNOS-to-Cisco IOS-XR Command Reference PDF
No ratings yet
JUNOS-to-Cisco IOS-XR Command Reference PDF
4 pages
(SRX) How To Configure TACACS+ Authentication On SRX Platforms
No ratings yet
(SRX) How To Configure TACACS+ Authentication On SRX Platforms
5 pages
JNCIA Notes
No ratings yet
JNCIA Notes
28 pages
Privileged Groups - HackTricks - HackTricks
No ratings yet
Privileged Groups - HackTricks - HackTricks
10 pages
How To Lock (SU01) & Unlock (SU10) A SAP User
No ratings yet
How To Lock (SU01) & Unlock (SU10) A SAP User
98 pages
Unit 2
No ratings yet
Unit 2
27 pages
Net Exp3
No ratings yet
Net Exp3
6 pages
Sec CFG Sec 4cli PDF
No ratings yet
Sec CFG Sec 4cli PDF
40 pages
Command Reference Guide
No ratings yet
Command Reference Guide
18 pages
ATP. Лекция 2. Basic Switch Setup
No ratings yet
ATP. Лекция 2. Basic Switch Setup
57 pages
01-03 Basic Configurations Commands
No ratings yet
01-03 Basic Configurations Commands
408 pages
RHEL 4 OS Hardening Guide
No ratings yet
RHEL 4 OS Hardening Guide
18 pages
Junos Practice 1
100% (1)
Junos Practice 1
23 pages
01-02 Basic Configurations Commands
No ratings yet
01-02 Basic Configurations Commands
589 pages
Lsa QB Ans
No ratings yet
Lsa QB Ans
55 pages
Run Levels: Run Level Init State Type Purpose
No ratings yet
Run Levels: Run Level Init State Type Purpose
3 pages
Linux Services Deployment
From Everand
Linux Services Deployment
Fabian Mestre
No ratings yet
Kubernetes Made Easy
From Everand
Kubernetes Made Easy
Pankaj Joshi
No ratings yet
Free Prepper and Survival Manuals PDF S
No ratings yet
Free Prepper and Survival Manuals PDF S
19 pages
The NSHipster Fake Book
33% (12)
The NSHipster Fake Book
108 pages
How To Sideload Apps On Firestick For Movies, TV, and More (2022)
No ratings yet
How To Sideload Apps On Firestick For Movies, TV, and More (2022)
35 pages
Coding Python
100% (8)
Coding Python
252 pages
Active Directory INTERVIEW QUESTIONS
No ratings yet
Active Directory INTERVIEW QUESTIONS
4 pages
Master PowerShell Tricks Volume 3
100% (2)
Master PowerShell Tricks Volume 3
254 pages
WtfIsThis - Malware Development EBook For Beginners
No ratings yet
WtfIsThis - Malware Development EBook For Beginners
37 pages
Mac OS X Hacks
No ratings yet
Mac OS X Hacks
504 pages
Repair Your Computer in Windows 8 and 8.1
No ratings yet
Repair Your Computer in Windows 8 and 8.1
27 pages
LINUX Administrator's Quick Reference Card: User Management NFS File Sharing
100% (3)
LINUX Administrator's Quick Reference Card: User Management NFS File Sharing
6 pages
Python Progr Module 3 - 6th EC by 21EC643
No ratings yet
Python Progr Module 3 - 6th EC by 21EC643
24 pages
Flat Unit-Iii
No ratings yet
Flat Unit-Iii
11 pages
3 1 DFA To Regular Expression
No ratings yet
3 1 DFA To Regular Expression
20 pages
A. Language of Explanation
No ratings yet
A. Language of Explanation
3 pages
Javascript For Abap Programmers: Chapter 3.5 - Arrays
No ratings yet
Javascript For Abap Programmers: Chapter 3.5 - Arrays
26 pages
Tutorial 11
No ratings yet
Tutorial 11
4 pages
Theory of Computation: Course Outcomes: On Completion of The Course, The Students Will Be
No ratings yet
Theory of Computation: Course Outcomes: On Completion of The Course, The Students Will Be
9 pages
Splunk Quick Reference Guide
No ratings yet
Splunk Quick Reference Guide
6 pages
The Dummies Guide To Compiler Design
No ratings yet
The Dummies Guide To Compiler Design
165 pages
Orchadmin Command: Datastage
No ratings yet
Orchadmin Command: Datastage
5 pages
VB6 To TCL Mini HOWTO: Mark Hubbard
No ratings yet
VB6 To TCL Mini HOWTO: Mark Hubbard
12 pages
Javascript String Methods
No ratings yet
Javascript String Methods
7 pages
Analyzing Linux Logs - The Ultimate Guide To Logging
No ratings yet
Analyzing Linux Logs - The Ultimate Guide To Logging
2 pages
Statistics and Machine Learning in Python
No ratings yet
Statistics and Machine Learning in Python
218 pages
SourceQL Paper 3: Progress Report 1 For EECS 395 (Senior Project)
No ratings yet
SourceQL Paper 3: Progress Report 1 For EECS 395 (Senior Project)
8 pages
Unix QB
No ratings yet
Unix QB
8 pages
Lecture 6 Regular Expressions
No ratings yet
Lecture 6 Regular Expressions
28 pages
Splunk Cheat Sheet
No ratings yet
Splunk Cheat Sheet
4 pages
Question Solved TCS
No ratings yet
Question Solved TCS
15 pages
II Year - II Semester L T P C 4 0 0 3
No ratings yet
II Year - II Semester L T P C 4 0 0 3
2 pages
DevNet Associate (Version 1.0) - Module 1 Exam Answers PDF
No ratings yet
DevNet Associate (Version 1.0) - Module 1 Exam Answers PDF
10 pages
Splunk 6.0.10 SearchReference Cheatsheet
No ratings yet
Splunk 6.0.10 SearchReference Cheatsheet
461 pages
Chapter 4-Computer Theory BY Danial I. A Cohen
70% (10)
Chapter 4-Computer Theory BY Danial I. A Cohen
23 pages
Python For Data Science PDF
100% (3)
Python For Data Science PDF
15 pages
Lecture 2 3
No ratings yet
Lecture 2 3
102 pages
Professional Java Developer Career Starter Java Foundations Exercises %26 Supplements
No ratings yet
Professional Java Developer Career Starter Java Foundations Exercises %26 Supplements
27 pages
Ghid Utilizare ANTCONC 3.5.9
No ratings yet
Ghid Utilizare ANTCONC 3.5.9
12 pages