Creating User Roles for Read-Only Access?

marshit-sie

Hello All,

I have a task per a 3rd party vendor to give read-only access to a user and create a set of roles. Now some of these roles when you apply say a few things. Some say "command failed: invalid operation", others say "command failed: a Vserver admin cannot use command directory "cluster" with access level "read-only" use different access level".

Does anyone know of a proper document that show all of the cluster vs. svm level commands available?

TMACMD

This is being discussed in Discord.

Bottom line is this:

If all the commands that need to run are able to be in an SVM, create an SVM role and add the full commands

If the commands the tneed to run are a mix of cluster and SVM, create the role in the cluster

You may need/want to use the -query argument for the commands.

Typically, you want to specify the least amount of access to get the job done

like this for a cluster

-cmddir "network interface service-policy show" -query "-vserver abc"

-> limits the use role to ONLY look at the service-policies for specifically the vserver abc. I can take this further!

-cmddir "network interface service-policy show" -query "-vserver abc -policy default-data-files"

-> limits the use role to ONLY look at the service-policies for specifically the vserver abc and only the spcified policy!

It is important to use the fullest command possible to limit access and do not abbreviate commands!

Creating User Roles for Read-Only Access?

Join us in Vegas, September 23-25