Junos
Junos

class configuration which allows to fetch the config, but prevents the user from doing any config change

[ Edited ]
2 weeks ago

Hi experts,

 

I'm looking for a default class (or alternative config) to take a config snapshot on my juniper switches from a management station.

 

In the log, I see the following when attempting to do a config snapshot:

UI_JUNOSCRIPT_CMD: User 'testuser' used JUNOScript client to run command 'get-configuration format="text"'

 

I tried with the default class read-only:

set system login user testuser class read-only

 

But with this configuration, I'm not able to do a config snapshot.

On my management station, I see:

version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ };
chassis { /* ACCESS-DENIED */ };
security { /* ACCESS-DENIED */ };
interfaces { /* ACCESS-DENIED */ };
snmp { /* ACCESS-DENIED */ };
forwarding-options { /* ACCESS-DENIED */ };
event-options { /* ACCESS-DENIED */ };
routing-options { /* ACCESS-DENIED */ };
protocols { /* ACCESS-DENIED */ };
policy-options { /* ACCESS-DENIED */ };
firewall { /* ACCESS-DENIED */ };
ethernet-switching-options { /* ACCESS-DENIED */ };
vlans { /* ACCESS-DENIED */ };
poe { /* ACCESS-DENIED */ };

 

So I need a class configuration which allows to fetch the config, but prevents the user from doing any config change.

 

Thanks for any hints,

Stefan

 

 

 

2 REPLIES 2
Junos

Re: class configuration which allows to fetch the config, but prevents the user from doing any config change

[ Edited ]
2 weeks ago

create new class
set system login class noconf permissions [ view view-configuration ]

and assign this class to user

Junos

Re: class configuration which allows to fetch the config, but prevents the user from doing any config change

2 weeks ago

Many thanks, that did the trick for me:

set system login user my-user-name class getconfig-class

set system login class getconfig-class permissions view-configuration

Thanks,

Stefan