SRX

I am trying to setup a small lab and want to deny users a few commands (system login, and security at least). I am using the following command and it doesn't seem to be working for either configuration or operational mode:

permissions all;

deny-commands "(^security) | (^system login) | (^request system)";

I used to have it working for security and system login but it is no longer working for any of them. As a result, I have two questions:

1. Why is this command not working for security and system login while in configuration mode?

2. Why does the request system argument not deny the respective section in operational mode?

Hi

To deny configuration mode hierarchy commands, you need to use deny-configuration, e.g.

deny-configuration "security|(system login)"

"Security" and "system login" are not op mode commands so having them in deny-commands

has no effect. As for "request system", try the same without ^ symbol. For example

such a string works for me (denies reuest system commands)

deny-commands "(security)|(system login)|(request system)"

I don't know why it does not work with ^. These allow / deny regular expressions

have always seemed not so obvious to me.

This does appear to deny access to request system but it does not deny access to security and system login. Do I need to use a combination of both deny-commands and deny-configuration?

Hi

Yes, you generally need to use both deny-commands and deny-configuration.