SRX Services Gateway
SRX Services Gateway

Issue with login class - Configuration couldn't be un-locked.

[ Edited ]
‎01-31-2019 07:24 AM

Hi experts!

 

I have created a custom login class 'WEB1" to restrict the commands and the configuration changes to be made by a particular user.  The commands work exactly as expected when the user logs in using CLI but when we try to execute/ configure the same commands on J-Web we are getting a permission denied error message.

 

Below is the login class I created for the user pavan :

====================================

set system login class WEB1 permissions configure

set system login class WEB1 permissions interface

set system login class WEB1 permissions interface-control

set system login class WEB1 permissions security

set system login class WEB1 permissions system

set system login class WEB1 allow-commands "(ping .*)|(traceroute .*)|(show .*)|(configure .*)|(exit)|(commit)|(rollback .*)|(request system .* .* .*)"

set system login class WEB1 allow-configuration "(system name-server .*) | (interfaces ge-0/0/0.0 .* .* .* .* .* .*) | (routing-options static route .* .* .* .*)"

set system login class WEB1 deny-configuration .*

 

I am basically allowing a bunch of show-commands and giving the user an explicit ability to modify the interface ge-0/0/0.0 , change the DNS server IP and set the default static route. 

 

Except the reboot command all of these are successfully done on CLI but when we try to implement the same on GUI, it says permission denied.

 

Example :

I try to set the IP address of ge-0/0/0.0 on CLI using the command :

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/29

it worked fine without a problem and I was able to commit. I tried implementing the same on J-Web, it says "permission denied."

 

The "request system reboot" gives me the below error when requested from CLI :

pavan@xx> request system reboot
Reboot the system ? [yes,no] (no) yes

mgd: unable to execute /sbin/shutdown: Permission denied

 

Please help.

 

Thanking you.

Regards,

Pavan Katakam

Attachments

2 REPLIES 2
SRX Services Gateway

Re: Issue with login class - Configuration couldn't be un-locked.

‎01-31-2019 08:15 PM

Try:

delete system login class WEB1 deny-configuration .*

set system login class WEB1 permissions maintenance

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Issue with login class - Configuration couldn't be un-locked.

‎02-01-2019 04:38 AM

Hi ,

 

Thanks for the response. Our management has strict restrictions on allowing commands and allowing configuration changes to the WEB1 users. So, unfortunately we can't delete the command deny configuration .*

Smiley Sad

We need to fine tune the config with a implicit deny at the end.