User Account Privilege Classes in Junos

When you create user accounts in Junos, you will want to associate that user with a privilege class. Four standard login privilege classes exist on a Junos OS device, each allowing its own set of authorized functions. You can also create your own unique privilege class.

Privilege Class Description Usage Recommendation
Super-user A super-user can perform any and all operations on the device. Reserve this privilege level for the key people who monitor and maintain all aspects of your devices.
Operator An operator is allowed to work in operational mode to check the status of the device and the routing protocols, clear statistics, and perform reset operations, including restarting routing processes and rebooting the device. This class can look at the device configuration, but can’t modify it. This privilege level is for the network operations team that is responsible for monitoring your devices.
Read-only Someone with read-only privilege can only monitor the status of the device and routing protocols. Give to low-level watchers of the network who must get an engineer or administrator when they see something amiss.
Unauthorized unauthorized is a class with no privileges at all on the device. When users in this class log in, the Junos OS software immediately logs them out. It sounds odd, but this class can be useful if these users do have privileges on other devices.

You may be tempted to put every valid user into the super-user class and be done with it, but doing so is usually a big mistake. Super-users can do literally everything, including granting super-user privileges to other users. One well-known trick is to quickly log in as a super-user and create an innocent-looking user ID (“guest-1”) that also just happens to have super-user privileges and log out again. But the damage is done.

Everyone will claim they can’t do their job unless they have super-user privileges. This is nonsense. Save your super-user class for people who really need it.

The pre-defined privilege classes are provided in Junos as a convenience. Junos has gather a collection of permissions together that you can use for common purposes. But you don’t have to do that. You can grant individual permissions by creating your own class.

For example, you can explicitly create a class called configurators who are explicitly granted permission to edit a configuration file but nothing else. Realistic? Maybe not. But it does work.

[edit system login]
user@junos-device# set class configurators permissions configure

This, of course, is the answer to where users can be set up to read no-world-readable trace files (and nothing else, if you like). If you grant trace permission to a user class, you let users in this class view trace files and trace file settings. Many of the predefined user classes include this permission (and many others).

blog comments powered by Disqus
Advertisement

Inside Dummies.com

Dummies.com Sweepstakes

Win $500. Easy.