[j-nsp] allow-configuration/permission + insert

Otto Kreiter otto.kreiter at dante.org.uk
Thu Aug 14 09:16:09 EDT 2008


Hi Erdem,

Unfortunately that will open up the whole firewall configuration for the 
user and I want to restrict it to the access_in firewall only!

Thanks.
Otto

Erdem Sener wrote:
> Hey Otto,
>
>  You need to add "firewall-control" to your class' permissions, and
> you should be fine.
>
> Cheers,
> Erdem
>
> On Thu, Aug 14, 2008 at 1:49 PM, Otto Kreiter <otto.kreiter at dante.org.uk> wrote:
>   
>> Hi,
>>
>> I'm trying to create a user with limited rights to access a single firewall
>> filter in the firewall configuration. I have (partially) managed to find the
>> most convenient way of doing it by committing the following configuration:
>>
>> class test {
>>   permissions configure;
>>   allow-configuration "firewall family inet filter access_in";
>> }
>> user test {
>>   uid 2002;
>>   class test;
>>   authentication {
>>       encrypted-password "xxx";
>>   }
>> }
>>
>> This nicely allows test user to configure the access_in filter and to
>> *create* new terms. However here comes the problem. When a new term is
>> created this is placed automatically at the end of the filter (fair enough -
>> is there is any way to specify his place?). But then when the user tries to
>> insert it in the right place:
>>
>> test at router# insert term Test-1 before ?
>> No valid completions
>>
>> Yes there are many other terms, even created by the same user in the same
>> session. I've tried countless allow-configurations and permission
>> configuration options and variations but I'm missing something and can't get
>> to the bottom of the problem.
>>
>> I would be grateful if somebody can point me in the right direction!
>>
>> Thank you and regards,
>> Otto
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>     


-- 
Otto Kreiter

Service Introduction Manager 
DANTE Ltd.
Phone: +44 (0)1223 371300



More information about the juniper-nsp mailing list