2016-04-07 01:59 AM
An application needs special access to a SnapLock- Volume (api-*,login-http-admin). For tests I created 2 vFiler to separate access and data from other volumes and application on a simulator. I have used following commands to create the special access on vfiler1:
vfiler run vfiler1 useradmin group add f1app
vfiler run vfiler1 useradmin user add f1appuser -g f1app
vfiler run vfiler1 useradmin role add f1api_commands -c "Role for executing API commands on vfiler1" -a api-*,login-http-admin
vfiler run vfiler1 useradmin group modify f1app -r f1api_commands
I have to be sure that there is no way to get access with “f1appuser” to the basesystem (vfiler0) or other vfiler. A college thinks with “login-http-admin” access within vfiler1 it is possible to get access to the basesystem (vfiler0) or manipulate something on basesystem.
Is the any chance for “f1appuser” to get access outside of vfiler1?
Thanks and regards