Issue with login class - Configuration couldn't be un-locked.
[ Edited ]
I have created a custom login class 'WEB1" to restrict the commands and the configuration changes to be made by a particular user. The commands work exactly as expected when the user logs in using CLI but when we try to execute/ configure the same commands on J-Web we are getting a permission denied error message.
Below is the login class I created for the user pavan :
set system login class WEB1 permissions configure
set system login class WEB1 permissions interface
set system login class WEB1 permissions interface-control
set system login class WEB1 permissions security
set system login class WEB1 permissions system
set system login class WEB1 allow-commands "(ping .*)|(traceroute .*)|(show .*)|(configure .*)|(exit)|(commit)|(rollback .*)|(request system .* .* .*)"
set system login class WEB1 allow-configuration "(system name-server .*) | (interfaces ge-0/0/0.0 .* .* .* .* .* .*) | (routing-options static route .* .* .* .*)"
set system login class WEB1 deny-configuration .*
I am basically allowing a bunch of show-commands and giving the user an explicit ability to modify the interface ge-0/0/0.0 , change the DNS server IP and set the default static route.
Except the reboot command all of these are successfully done on CLI but when we try to implement the same on GUI, it says permission denied.
I try to set the IP address of ge-0/0/0.0 on CLI using the command :
set interfaces ge-0/0/0 unit 0 family inet address 18.104.22.168/29
it worked fine without a problem and I was able to commit. I tried implementing the same on J-Web, it says "permission denied."
The "request system reboot" gives me the below error when requested from CLI :
pavan@xx> request system reboot Reboot the system ? [yes,no] (no) yes
mgd: unable to execute /sbin/shutdown: Permission denied
Re: Issue with login class - Configuration couldn't be un-locked.
Thanks for the response. Our management has strict restrictions on allowing commands and allowing configuration changes to the WEB1 users. So, unfortunately we can't delete the command deny configuration .*
We need to fine tune the config with a implicit deny at the end.