Table of ContentsView in Frames

Customizing an access-control role to restrict user access to specific commands

The cluster administrator can restrict a user's access to only specific commands by customizing an access-control role with specified commands and mapping the user account to the role.

Steps

  1. Create a customized access-control role that is restricted to only the specified command or commands by using the security login role create command with the -cmddirname parameter.
    The security login role show command displays the commands that a role can access.
  2. Create a login method for a user account and map it to the customized role by using the security login create command with the -role parameter.

Examples of customizing an access-control role to restrict user account access

The following example creates an access-control role named "vol_snapshot", which has access to only the volume snapshot commands, and a "vs1" Storage Virtual Machine (SVM, formerly known as Vserver) user account named "snapshot_admin", which is assigned the "vol_snapshot" role. The user has full access to the volume snapshot commands, as defined by the role. The user can use SSH to access the SVM and a password for authentication.

cluster1::> security login role create -vserver vs1 -role vol_snapshot 
-cmddirname "volume snapshot" 

cluster1::> security login role show -vserver vs1 -role vol_snapshot
           Role          Command/                               Access
Vserver    Name          Directory                        Query Level
---------- ------------- --------- ---------------------------- --------
vs1        vol_snapshot  DEFAULT                                none
vs1        vol_snapshot  volume snapshot                        all
2 entries were displayed.

cluster1::> security login create -vserver vs1 -user-or-group-name snapshot_admin 
-application ssh -authmethod password -role vol_snapshot 

Please enter a password for user 'snapshot_admin': 
Please enter it again: 

cluster1::> 
		  

The following example creates an access-control role name "sec_login_readonly". The role is customized to have read-only access to the security login directory but no access to the security login domain-tunnel, security login publickey, or security login role subdirectories. As a result, the role can access only the security login show command. A cluster user account named "new_admin" is then created and assigned the "sec_login_readonly" role. The user can use the console to access the cluster and a password for authentication.

cluster1::> security login role create -vserver cluster1 -role sec_login_readonly 
-cmddirname "security login" -access readonly

cluster1::> security login role create -vserver cluster1 -role sec_login_readonly 
-cmddirname "security login domain-tunnel" -access none

cluster1::> security login role create -vserver cluster1 -role sec_login_readonly 
-cmddirname "security login publickey" -access none

cluster1::> security login role create -vserver cluster1 -role sec_login_readonly 
-cmddirname "security login role" -access none

cluster1::> security login role show -vserver cluster1 -role sec_login_readonly 
  (security login role show)
           Role                 Command/                         Access
Vserver    Name                 Directory                  Query Level
---------- -------------------- --------- ---------------------- --------
cluster1   sec_login_readonly   DEFAULT                          none
cluster1   sec_login_readonly   security login                   readonly
cluster1   sec_login_readonly   security login domain-tunnel     none
cluster1   sec_login_readonly   security login publickey         none
cluster1   sec_login_readonly   security login role              none
5 entries were displayed.

cluster1::> security login create -vserver cluster1 -user-or-group-name new_admin 
-application console -authmethod password -role sec_login_readonly

Please enter a password for user 'new_admin':
Please enter it again:

cluster1::>