User Account Privilege Classes in Junos - dummies

User Account Privilege Classes in Junos

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

When you create user accounts in Junos, you will want to associate that user with a privilege class. Four standard login privilege classes exist on a Junos OS device, each allowing its own set of authorized functions. You can also create your own unique privilege class.

Privilege Class Description Usage Recommendation
Super-user A super-user can perform any and all
operations on the device.
Reserve this privilege level for the key people who monitor and
maintain all aspects of your devices.
Operator An operator is allowed to work in
operational mode to check the status of the device and the routing
protocols, clear statistics, and perform reset operations,
including restarting routing processes and rebooting the
This class can look at the device configuration, but
can’t modify it. This privilege level is for the network
operations team that is responsible for monitoring your
Read-only Someone with read-only privilege can
only monitor the status of the device and routing protocols.
Give to low-level watchers of the network who must get an
engineer or administrator when they see something amiss.
Unauthorized unauthorized is a class with no
privileges at all on the device.
When users in this class log in, the Junos OS software
immediately logs them out. It sounds odd, but this class can be
useful if these users do have privileges on other

You may be tempted to put every valid user into the super-user class and be done with it, but doing so is usually a big mistake. Super-users can do literally everything, including granting super-user privileges to other users. One well-known trick is to quickly log in as a super-user and create an innocent-looking user ID (“guest-1”) that also just happens to have super-user privileges and log out again. But the damage is done.

Everyone will claim they can’t do their job unless they have super-user privileges. This is nonsense. Save your super-user class for people who really need it.

The pre-defined privilege classes are provided in Junos as a convenience. Junos has gather a collection of permissions together that you can use for common purposes. But you don’t have to do that. You can grant individual permissions by creating your own class.

For example, you can explicitly create a class called configurators who are explicitly granted permission to edit a configuration file but nothing else. Realistic? Maybe not. But it does work.

[edit system login]
user@junos-device# set class configurators permissions configure

This, of course, is the answer to where users can be set up to read no-world-readable trace files (and nothing else, if you like). If you grant trace permission to a user class, you let users in this class view trace files and trace file settings. Many of the predefined user classes include this permission (and many others).