Routing
Routing

How to edit permissions to allow show and deny editing under the same hierarchy

‎02-14-2016 05:19 AM

Hello,

 

Someone know how to edit permissions of spesific class to allow show and deny editing under the same hierarchy

 

for example:

allow:

show configuration routing-options static | display set 

deny:

set routing-options static route 0.0.0.0/0 next-hop 172.16.15.1

 

EX4200 version 11.4R5.7

 

My corrent configuration:

set system login class CLASS idle-timeout 30
set system login class CLASS permissions control
set system login class CLASS permissions firewall
set system login class CLASS permissions interface-control
set system login class CLASS permissions network
set system login class CLASS permissions rollback
set system login class CLASS permissions routing
set system login class CLASS permissions view
set system login class CLASS permissions view-configuration
set system login class CLASS allow-commands "configure private|edit private|noop-command"
set system login class CLASS deny-configuration-regexps chassis
set system login class CLASS deny-configuration-regexps access
set system login class CLASS deny-configuration-regexps accounting-options
set system login class CLASS deny-configuration-regexps apply-groups
set system login class CLASS deny-configuration-regexps forwarding-options
set system login class CLASS deny-configuration-regexps groups
set system login class CLASS deny-configuration-regexps policy-options
set system login class CLASS deny-configuration-regexps protocols
set system login class CLASS deny-configuration-regexps services
set system login class CLASS deny-configuration-regexps snmp
set system login class CLASS deny-configuration-regexps system
set system login class CLASS deny-configuration-regexps ethernet-switching-options
set system login class CLASS deny-configuration-regexps routing-options
set system login class CLASS deny-configuration-regexps poe
set system login class CLASS deny-configuration-regexps routing-instances

 

2 REPLIES 2
Routing

Re: How to edit permissions to allow show and deny editing under the same hierarchy

‎03-07-2016 02:20 PM

set system login class CLASS deny-configuration routing-options
test1@srxF-2# edit routing-options
^
permission denied.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Routing

Re: How to edit permissions to allow show and deny editing under the same hierarchy

‎03-09-2016 03:56 AM

Hi,

Its not working,

fisrt of all "deny-configuration" cant configured simultanios with "deny-configuration-regexps" it responce an error:

[edit system login class L2-CLASS]
'deny-configuration-regexps'
'deny-configuration' and 'deny-configuration-regexps' are mutually exclusive
error: commit failed: (statements constraint check failed)

 

Also i tryed to remove the "deny-configuration-regexps" configuration and also it dosent work with this conf:

set system login class L2-CLASS idle-timeout 30
set system login class L2-CLASS permissions control
set system login class L2-CLASS permissions firewall
set system login class L2-CLASS permissions interface-control
set system login class L2-CLASS permissions network
set system login class L2-CLASS permissions rollback
set system login class L2-CLASS permissions routing
set system login class L2-CLASS permissions view
set system login class L2-CLASS permissions view-configuration
set system login class L2-CLASS allow-commands "clear ethernet-switching table Vlan|clear ethernet-switching table mac|clear ethernet-switching bpdu-error|configure private|edit private|noop-command"
set system login class L2-CLASS deny-commands "(clear)|(file)|(help)|(load)|(op)|(request)|(save)|(set)|(start)|(test)"
set system login class L2-CLASS deny-configuration routing-options
set system login user L2 uid 2005
set system login user L2 class L2-CLASS

cant show the routing option:

test@test> show configuration ?
Possible completions:
<[Enter]> Execute this command
> access Network access configuration
> access-profile Access profile for this instance
> accounting-options Accounting data configuration
+ apply-groups Groups from which to inherit configuration data
> chassis Chassis configuration
> class-of-service Class-of-service configuration
> ethernet-switching-options Ethernet-switching configuration options
> firewall Define a firewall configuration
> forwarding-options Configure options to control packet forwarding
> groups Configuration groups
> interfaces Interface configuration
> multi-chassis
> policy-options Routing policy option configuration
> protocols Routing protocol configuration
> security Security configuration
> services System services
> snmp Simple Network Management Protocol configuration
> system System parameters
> virtual-chassis Virtual chassis configuration
> vlans VLAN configuration
| Pipe through a command