2009-03-03 11:16 AM
I'd like to be able to secure an API user that would have read-only access to the filer. Going through RBAC, this seems possible, but there are too many options to successfully create a role based on this. The command errors as it's too long, and if I load it into a text file and run it using source, it reports the command is too long. I won't post the full list of "api-" RBAC roles I want to give the user as it's a bit big!
Is there an easy way of creating a read-only api-* user?
2009-03-04 02:16 AM
There is no easy way to create a role with privilage to access all read-only APIs. If you create a privilage with api-* then it provides access to all the APIs. You have to explicitly list out read only APIs like api-system-*, api-qtree-list-* .
2009-03-04 02:20 AM
Thanks for the reply. However that's the problem I have. I've been through all the api- roles and highlighted the read-only ones, But the command line input buffer isn't long enough to accept this into a single role. If there was a way that I could add additional settings to an existing role, then I could build this up, but there doesn't seem to be, it just overwrites the existing settings.
2009-03-04 02:29 AM
Maybe you can break the api-* list to multiple roles, each one having different apis as capabilities. Then add these roles to a group, then assign a read only user to this group.
For example, create the roles you need.
Allowed Capabilities: api-*
Allowed Capabilities: cli-*,login-ssh,login-telnet
Create a group for these roles:
Assign user to this role.
Let me know if this works!