https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/useradmin-how-to-exclude-capabilities-from-roles/m-p/9386#M1947 <HTML><HEAD></HEAD><BODY><P>When creating custom roles with "useradmin", how can I exclude specific capabilities? </P><P>For example, to allow a user access to cli commands I include "cli-*" in my "useradmin role -a" command.</P><P>But what if I wanted to exclude access to specific commands, such as not allowing this role to use the "sis" command? From what I can see the only way to achieve this is implicitly list each and every cli command available with the exception of the one I wish to exclude - which I'd rather avoid if possible.</P><P></P><P>Thanks,</P><P>Luke </P></BODY></HTML> Thu, 05 Jun 2025 06:50:22 GMT lukemulcahy 2025-06-05T06:50:22Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/useradmin-how-to-exclude-capabilities-from-roles/m-p/9386#M1947 <HTML><HEAD></HEAD><BODY><P>When creating custom roles with "useradmin", how can I exclude specific capabilities? </P><P>For example, to allow a user access to cli commands I include "cli-*" in my "useradmin role -a" command.</P><P>But what if I wanted to exclude access to specific commands, such as not allowing this role to use the "sis" command? From what I can see the only way to achieve this is implicitly list each and every cli command available with the exception of the one I wish to exclude - which I'd rather avoid if possible.</P><P></P><P>Thanks,</P><P>Luke </P></BODY></HTML> Thu, 05 Jun 2025 06:50:22 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/useradmin-how-to-exclude-capabilities-from-roles/m-p/9386#M1947 lukemulcahy 2025-06-05T06:50:22Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/useradmin-how-to-exclude-capabilities-from-roles/m-p/9391#M1949 <HTML><HEAD></HEAD><BODY><P> As far as I know it's not possible to do what you're asking, at least not according to the documentation. I imagine the planning behind it is that it's very unlikely that someone will create a role and give it permissions for all CLI commands bar one or two. An admin is more likely to create a new role and apply a specific number of fairly low level capabilities to it, otherwise they may as well assign one of one the predefined roles with the more open permissions.</P><P>If you wanted to you could submit an RFE case for this but I have the sneaking feeling you wouldn't be the first....</P></BODY></HTML> Tue, 19 Jul 2011 05:55:18 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/useradmin-how-to-exclude-capabilities-from-roles/m-p/9391#M1949 andrc 2011-07-19T05:55:18Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/useradmin-how-to-exclude-capabilities-from-roles/m-p/9395#M1950 <HTML><HEAD></HEAD><BODY><P>Luke,</P><P></P><P>Exclusions of capabilities can't be done in the 7-mode versions of ONTAP.</P><P>You're not the only one who has asked for it <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_macro_emoticon" src="https://community.netapp.com/4.5.5/images/emoticons/wink.gif"></SPAN></P><P>There are business sectors and environments where roles need to be carefully defined and not having the ability exclude has led to the creation of some very cumbersome Role Based Access Control policies.</P><P>If c-mode uses the same style command tree as GX did, exclusions will be possible.</P><P>No help for you right now of course but a potential light at the end of the tunnel perhaps!</P><P></P><P>Richard</P></BODY></HTML> Tue, 19 Jul 2011 18:50:43 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/useradmin-how-to-exclude-capabilities-from-roles/m-p/9395#M1950 RichardSopp 2011-07-19T18:50:43Z