Active IQ Unified Manager Discussions

cli-cifs?

MRJORDANG
3,693 Views

Hello,

 

 

Does the "cli-cifs" privilege limit an ONTAP user to read only privileges?    I'd like to restrict a user to the ability to view cifs shares but not the ability to make any changes.   

 

 

DATA ONTAP 8.1.4P9 7-Mode

 

Thanks,

MRJG

4 REPLIES 4

rwelshman
3,682 Views

no, it will allow access to the entire cifs family of commands. It is very difficult to create read-only access to the filers. They can view the shares using "computer management" on their workstation and connecting to the filer.

MRJORDANG
3,674 Views

Thank you for the response.   Then what is the difference between the following two privileges?

 

cli-cifs

cli-cifs*

 

I thought the same thing you mentioned, but then I discovered documentation that includes the cli-cifs* privilege which I would think allows access to the entire subset of cifs commands.

rwelshman
3,670 Views

I'm pretty sure that if you just specify cli-cifs without the *, the user could only use "cifs" which won't give them any results.

MRJORDANG
3,668 Views

Would love to find some documentation that validates your statement.   Best I can find is the following:

 

 

"The format for this is cli-* , which means allow all the commands and subcommands. (cli-<command> just means the command and NO subcommands.) " 
http://www.netapp.com/us/media/tr-3358.pdf

 

But then, as you mentioned, just allowing the capability to run the "cifs" command (no other arguments) should effectively do nothing except provide the help output for the cifs command.    Yet, I see in the following in the messages file when a user attempts to execute "cifs shares":

 

"User 'testuser' denied access - missing required capability:  'cli-cifs'"




Public