I need to create a user for Config Advisor. Config Advisor is going to be run by someone who is not a member of the storage team, infact they are an external partner engaged by a different team. I want to restrict privileges as much as possible.
I tried basing a user on the "READONLY" role but it will not get past the "Test Login" button. It seems to require the use of the command "system node run" which is a bit of a problem.
This is what I came up with:
security login role
create -role confadvisor -cmddirname "DEFAULT" -access readonly
create -role confadvisor -cmddirname "security" -access none
create -role confadvisor -cmddirname "security login password" -access all
create -role confadvisor -cmddirname "set" -access all
create -role confadvisor -cmddirname "system node run" -access all
config show -role confadvisor -instance
show -role confadvisor
security login
create -username thirdp -role confadvisor -application ssh -authmethod password
create -username thirdp -role confadvisor -application http -authmethod password
create -username thirdp -role confadvisor -application ontapi -authmethod password
create -username thirdp -role confadvisor -application console -authmethod password
create -username thirdp -role confadvisor -application service-processor -authmethod password
show -username thirdp
I am really not happy with allowing "system node run" since there is enough priviledge there to destroy a system.
- Can I do better than the above?
- Should I just insist on being present to enter the password?
Thanks for your help.