Subscribe

Read Only User

I'd like to be able to secure an API user that would have read-only access to the filer. Going through RBAC, this seems possible, but there are too many options to successfully create a role based on this. The command errors as it's too long, and if I load it into a text file and run it using source, it reports the command is too long. I won't post the full list of "api-" RBAC roles I want to give the user as it's a bit big!

Is there an easy way of creating a read-only api-* user?

Re: Read Only User

Hi Chris,

There is no easy way to create a role with privilage to access all read-only APIs. If you create a privilage with api-* then it provides access to all the APIs. You have to explicitly list out read only APIs like api-system-*, api-qtree-list-* .

Thanks,

Rashmi.

Re: Read Only User

Thanks for the reply. However that's the problem I have. I've been through all the api- roles and highlighted the read-only ones, But the command line input buffer isn't long enough to accept this into a single role. If there was a way that I could add additional settings to an existing role, then I could build this up, but there doesn't seem to be, it just overwrites the existing settings.

Re: Read Only User

You can use useradmin category APIs to overcome the limitations of CLI.

Thanks,

Rashmi.

Re: Read Only User

Maybe you can break the api-* list to multiple roles, each one having different apis as capabilities. Then add these roles to a group, then assign a read only user to this group.

For example, create the roles you need.

Name: testrole

Info:

Allowed Capabilities: api-*

Name: login

Info:

Allowed Capabilities: cli-*,login-ssh,login-telnet

Create a group for these roles:

Name: testgrp

Info:

Rid: 131085

Roles: testrole,login

Assign user to this role.

Name: testuser

Info:

Rid: 131092

Groups: testgrp

Let me know if this works!