Hey there,
While waiting for your reply, I'd like to take a guess and asssume you're after something like below:
"A limited user class that can do some things on the router, including configuring interfaces but do not delete all of them."
In this case, I would suggest a different approach than your initial example, as the one below:
class Limited-Class {
idle-timeout 15;
permissions [ access clear firewall interface maintenance network pgcp-session-mirroring reset rollback routing secret security snmp storage system trace view view-configuration ];
allow-commands configure;
allow-configuration "(interfaces .*)|(^class-of-service .*)|(firewall .*)";
}
user erdem {
uid 5555;
class Limited-Class;
}
Note that instead of giving the user permissions all or interface-control (-control means read-write access to that part of the configuration) I've given only the "interface" permission, which is read-only.
However, the class is explicitly allowed to use the configure command (so that the user can enter configuration mode) along with three regular expressions in allow-configuration statement, allowing them to configure/delete a specific interface, COS or firewall item but NOT entirely alter their configuration.
In other words, the " .*" in the regexp forces the user to specify at least one more level in the following stenzas, which they can alter:
[edit interfaces]
[edit class-of-service]
[edit firewall]
Although their permissions give only read-write access to them, the explicit allow-configuration will take precedence and overwrite.
Logged in as user 'erdem', see what will happen if I try to configure/delete a specific interface, or all of them below. Note that the auto-complete is NOT going to work with edit interfaces command because user erdem has no permission bit interface-control set, so I have to type the whole command manually.
erdem@vetinari> configure
Entering configuration mode
[edit]
erdem@vetinari# edit in
^
syntax error, expecting <statement> or <identifier>.
erdem@vetinari# edit in?
No valid completions
[edit]
erdem@vetinari# edit interfaces
[edit interfaces]
erdem@vetinari# delete
Delete everything under this level? [yes,no] (no) yes
error: permission denied for interfaces: delete
edit interfaces]
erdem@vetinari# set ge-0/0/10 description test
[edit interfaces]
erdem@vetinari# commit
commit complete
[edit interfaces]
erdem@vetinari# show ge-0/0/10
description test;
[edit interfaces]
erdem@vetinari# delete ge-0/0/10
[edit interfaces]
erdem@vetinari# commit
commit complete
[edit interfaces]
erdem@vetinari# show ge-0/0/10
[edit interfaces]
erdem@vetinari#
Needless to say, you can play with allow-configuration and permissions in the class to better suit your need.
Hope this helps,