You can get very granular with these, limiting certain commands to certain interfaces or just to config sections / op commands http://www.juniper.net/techpubs/en_US/junos11.1/topics/concept/authenticati on-regular-expressions-usage-allow-deny-command-overview.html?searchid=1324 588522904 Also looking in the device help is a good place. System > Login > Class > [class name] > Permissions ? [ Open a set of values access Can view access configuration access-control Can modify access configuration admin Can view user accounts admin-control Can modify user accounts all All permission bits turned on clear Can clear learned network info configure Can enter configuration mode control Can modify any config field Can use field debug commands firewall Can view firewall configuration firewall-control Can modify firewall configuration floppy Can read and write the floppy flow-tap Can view flow-tap configuration flow-tap-control Can modify flow-tap configuration flow-tap-operation Can tap flows idp-profiler-operation Can Profiler data interface Can view interface configuration interface-control Can modify interface configuration maintenance Can become the super-user network Can access the network pgcp-session-mirroring Can view pgcp session mirroring configuration pgcp-session-mirroring-control Can modify pgcp session mirroring configuration reset Can reset/restart interfaces and daemons rollback Can rollback to previous configurations routing Can view routing configuration routing-control Can modify routing configuration secret Can view secret statements secret-control Can modify secret statements security Can view security configuration security-control Can modify security configuration shell Can start a local shell snmp Can view SNMP configuration snmp-control Can modify SNMP configuration system Can view system configuration system-control Can modify system configuration trace Can view trace file settings trace-control Can modify trace file settings view Can view current values and statistics view-configuration Can view all configuration (not including secrets)
... View more
I have a similar issue. I am using ADAM for my ldap, and my SSG firewalls auth fine, but when I try to auth the same user in the SA, it isn't found in the searches? My users do have a CN.
... View more