Network and Storage Protocols

CIFS role based access control

SALVATORE_PUGLISI
3,002 Views

Hello all

I created a vfiler for one of our customers to use as a CIFS server. The customer should be able to administer CIFS by himself over the MMC.

I created a group CIFSAdmins and attached the a new role with the following capabilities: api-cifs-list-*,api-cifs-session-*,api-cifs-share-*,api-quota-*,api-cifs-homedir-*

The strange issue is that with this capabilities an ACCESS DENIED message is displayed on shares. For testing purposes I added the customer to the power user group, everything works fine but the customer is still able to change the members of the local groups. The default capabilities for the power user group is

Name:    power

Info:

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh

So I changed the power role to

Name:    power

Info:

Allowed Capabilities: cli-cifs*,api-cifs-*,login-telnet,login-http-admin,login-rsh,login-ssh

but no change happened, still able to create new groups and change the members of the group.

Which capabilities should be allowed on a rule to have the rights to only do CIFS administration tasks?

Regards.

Sal

1 REPLY 1

shaunjurr
3,002 Views

I feel your pain, Sal... RBAC is a real PITA...

What do you consider "CIFS administration"?  What do you want the user to NOT be able to do?

Public