A security policy requires that a user account be created for auditing purposes. This user should only view configuration and operational data without making any changes. Which predefined login class would satisfy this requirement?
Junos OS provides several predefined login classes to implement Role-Based Access Control (RBAC) efficiently. For an auditor who needs to verify the current state of the device without the risk of altering it, the read-only class is the ideal choice.
The read-only class allows a user to log in and execute show commands to view the running configuration and operational statistics. However, it strictly prohibits the user from entering configuration mode (using the configure command) or executing any " impactful " operational commands that could reset counters, clear log files, or affect traffic flow.
It is important to distinguish this from the operator class. While the operator class also cannot change the configuration, it does have permissions to clear interface statistics, reset routing protocol neighbors, and perform other " clear " or " reset " actions. For a pure auditing role where even resetting a counter would be considered a breach of policy, read-only provides the necessary " look but don ' t touch " environment. The super-user class, conversely, has full unrestricted access, and unauthorized is not a standard functional class. Using the read-only class ensures compliance with security best practices by granting the minimum necessary privileges required for the auditing task.
[Reference: User Interfaces, Predefined Login Classes, Access Control., ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit