Privilege level for Junos OS

We use Unix authentication for authenticating to Juniper devices with Junos operating system (Junos OS).

This help will describe how to create a custom login class with the least privileges required for scanning, and then associate the scan user account with the custom login class.


Junos OS allows you to grant access or permissions to the commands and configuration hierarchy levels and statements. This enables users to execute only those commands and configure and view only those statements for which they have access privileges. You can use extended regular expressions to specify which operational mode commands, configuration statements, and hierarchies are denied or allowed for users. This prevents unauthorized users from executing or configuring sensitive commands and statements that could potentially cause damage to the network.

Junos OS uses login classes to assign permissions to groups of users. Each user must be part of a login class. You can define a custom login class with the permissions you want to grant to the scan user account. The account must be configured so that it's able to execute the commands that are required for scanning these devices. 

Commands required for scanning

For compliance scans:
show interfaces statistics
show configuration|display xml

For vulnerability scans:
show version
cli show version
show bgp summary
cli show bgp summary
show chassis hardware
cli show chassis hardware

Permissions required for scanning

The following permissions will provide the least privileges required for scanning devices with Junos OS. This set of permission flags will only allow the scan user account to view information but not modify information.


How to create custom login class with permissions for scan user

Follow the steps below to create a custom login class and provide permissions (least privilege) at different hierarchy levels. Then add the scan user account to this class.

1) Create custom login class. In this example, the new custom class is "mytestclass". Here's an example:

[edit system login]

root@pcavmx14# edit class mytestclass ?

Possible completions:

  <[Enter]>            Execute this command

  |                    Pipe through a command


2) Go to the new custom login class. Here's an example:  

[edit system login class mytestclass]

root@pcavmx14# set permissions ?

Possible completions:

  [                    Open a set of values

  access               Can view access configuration

  access-control       Can modify access configuration

  admin                Can view user accounts

  admin-control        Can modify user accounts

  all                  All permission bits turned on

  clear                Can clear learned network info

  configure            Can enter configuration mode

  control              Can modify any config

  field                Can use field debug commands

  firewall             Can view firewall configuration

  firewall-control     Can modify firewall configuration

  floppy               Can read and write the floppy

  flow-tap             Can view flow-tap configuration

  flow-tap-control     Can modify flow-tap configuration


3) Use the following command to assign required permissions to the custom login class. You can give multiple permission flags in one command, or use separate commands.

[edit system login class mytestclass]

root@comvmx14# set permissions interface permissions system permissions snmp permissions routing permissions view permissions shell permissions admin


4) Create scan user account and associate it with the custom login class. In the following example, we'll associate the user "scanuser" with the custom class "mytestclass". Note that we've given only read permissions with different permission flags to this class/user. This means the user will not be able to modify information.

[edit system login]

root@comvmx14# set user scanuser class mytestclass