Hello, As far as I know, the activate/deactivate knobs are tied to user's permissions; meaning that if an user can edit a level of the configuration he/she can also always use activate/deactivate; since they're not really 'commands' from that perspective. (again, I may be wrong)
Another option for you would be to use 'deny-configuration' statement for this particular class, to prevent reaching that part of configuration. This will however also result the members of this class not see those sections of the configuration (e.g. interfaces xe-0/0/0) when they do a show command in edit mode. For example: [edit system login class Class1] [EMAIL PROTECTED] show permissions all; deny-configuration "^interfaces xe-0/0/3|^interfaces xe-0/0/2"; The members of class 'Class1' will have the rights to alter the whole configuration except interfaces xe-0/0/3 and xe-0/0/2. They also won't be able to see the configuration for those interfaces when they do a show command. I understand this is not exactly what you're after and I'm confident someone would correct me if there's anything I'm missing. Cheers, Erdem On Mon, Nov 10, 2008 at 5:04 PM, German Martinez <[EMAIL PROTECTED]> wrote: > On Tue Apr 22, 2008, Brian Pavane wrote: > > Hello Brian, > Did you have any luck with this task? Anything that you are willing > to share is really welcome > > Thanks > German > >> I am currently working on a security profile, that requires me to >> prohibit certain deactivate/activate commands to be issued by a certain >> class of users. I am looking to add this to my current TACACS >> configuration (tac_plus), however I have been unable as of yet to get >> the router to properly authorize these commands. >> >> From what I can tell, these need to be placed in the "deny-commands" >> section rather than the "deny-configuration" section of TACACS... but I >> may be wrong (I've tried both). >> >> Has anyone done this in the past? If so, could you share this portion >> of your tacacs.conf? >> >> Thank you. >> >> -Brian >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
