Subscribe

Customized RBAC in cDOT 8.2.3

Hello, comrades!

 

So, our shop is relatively small, and I'm basically the only storage guy. Things are changing, though, and I need to pass off some lightweight, repeatable, and relatively low-impact duties to a handful of NOC folks. I don't want to give them the keys to the kingdom, so I want to cook up a new role for them that can do the stuff they need to do. Specifically they'll need to be able to run regular health checks (as our environment doesn't allow for automatic ASUP uploads), and to provision storage. 

 

I get how to create a security role in cDOT (sec login role create -role NOC -access readonly -cmddirname "cluster peer show" or ... -access all -cmddirname "volume modify" and stuff like that). What I'm not sure about whether I can allow this role to set diag and run diagnostic privileged commands, and if I can, how to do it? Is it as simple as ... -access all -cmddirname "set"? What unintended consequences and privileges, if any, would I be conferring on this role if I did that?

 

Thanks all!