1 files changed, 31 insertions, 13 deletions
diff --git a/docs/juniper.md b/docs/juniper.md
index e64c133..fd5a6b9 100644
--- a/docs/juniper.md
+++ b/docs/juniper.md
@@ -1,6 +1,6 @@
-# Looking Glass: Juniper JunOS configuration and tips.
+# Looking Glass: Juniper JUNOS configuration and tips.
 
-Juniper JunOS support is rather straightforward with JunOS versions from the
+Juniper JUNOS support is rather straightforward with JUNOS versions from the
 last decade and afterwards.
 
 ## Security and user access
@@ -9,20 +9,33 @@ As security by least privilege is quite efficient, using a restricted user to
 execute the commands is advised.
 
 A super-user access is not necessary, a read-only user is not sufficient
-though. The best role for the user that will be used by the looking glass is
-the operator class.
-
-It is still possible to define a user with access to specific commands. This
-case will not be covered (at least for now).
+though. The operator class would be good enough. It is better to define a new
+class with access to specific commands to restrict the looking glass user to
+what it actually needs (no more, no less).
 
 ## Configuration: User Class
 
 Log in your Juniper router and get in CLI mode if necessary, type the
-following commands:
+following commands to create a new class for looking glass users:
+
+```
+[edit]
+user@router# set system login class looking-glass permissions view-configuration
+[edit]
+user@router# set system login class looking-glass allow-commands "(show)|(ping)|(traceroute)"
+[edit]
+user@router# set system login class looking-glass deny-commands "(clear)|(file)|(file show)|(help)|(load)|(monitor)|(op)|(request)|(save)|(set)|(start)|(test)"
+[edit]
+user@router# set system login class looking-glass allow-configuration show
+[edit]
+user@router# set system login class looking-glass deny-configuration all
+```
+
+Now a new user can be created with the brand new **looking-glass** class:
 
 ```
 [edit]
-user@router# set system login user <username> class operator
+user@router# set system login user <username> class looking-glass
 ```
 
 For security purpose, it is highly recommended to use an authentication
@@ -46,11 +59,18 @@ You can then check your commit and save the configuration if everything seems
 to be ok.
 
 ```
-[edit]
 user@router# show | compare
 [edit system login]
++    class looking-glass {
++        permissions view-configuration;
++        allow-commands "(show)|(ping)|(traceroute)";
++        deny-commands "(clear)|(file)|(file show)|(help)|(load)|(monitor)|(op)|(request)|(save)|(set)|(start)|(test)";
++        allow-configuration show;
++        deny-configuration all;
++    }
+[edit system login]
 +    user lg {
-+        class operator;
++        class looking-glass;
 +        authentication {
 +            ...
 +        }
@@ -59,8 +79,6 @@ user@router# show | compare
 [edit]
 user@router# commit check
 [edit]
-user@router# commit confirmed 1
-[edit]
 user@router# commit
 ```