useradmin: how to exclude capabilities from roles

lukemulcahy · ‎2011-07-18

When creating custom roles with "useradmin", how can I exclude specific capabilities?

For example, to allow a user access to cli commands I include "cli-*" in my "useradmin role -a" command.

But what if I wanted to exclude access to specific commands, such as not allowing this role to use the "sis" command? From what I can see the only way to achieve this is implicitly list each and every cli command available with the exception of the one I wish to exclude - which I'd rather avoid if possible.

Thanks,

Luke

andrc · ‎2011-07-18

As far as I know it's not possible to do what you're asking, at least not according to the documentation. I imagine the planning behind it is that it's very unlikely that someone will create a role and give it permissions for all CLI commands bar one or two. An admin is more likely to create a new role and apply a specific number of fairly low level capabilities to it, otherwise they may as well assign one of one the predefined roles with the more open permissions.

If you wanted to you could submit an RFE case for this but I have the sneaking feeling you wouldn't be the first....

RichardSopp · ‎2011-07-19

Luke,

Exclusions of capabilities can't be done in the 7-mode versions of ONTAP.

You're not the only one who has asked for it

There are business sectors and environments where roles need to be carefully defined and not having the ability exclude has led to the creation of some very cumbersome Role Based Access Control policies.

If c-mode uses the same style command tree as GX did, exclusions will be possible.

No help for you right now of course but a potential light at the end of the tunnel perhaps!

Richard