Solved: Giving cli access to specific commands

JITHUSUDHAKAR · ‎2011-07-06

Hi,

I want to provide an auditor cli access to our Netapp system. I obviously dont want to give this person root access or even compliance or power user. What I want is to create a new user with access to only certain commands - or rather only commands with specific flags. For example, I want to give this person access to "lun show -m" rather than "lun offline". If I create a new profile for this user, I'm only able to add "cli-lun" which gives access to all the sub-commands under it. Does anyone know a way to do this?

Thanks in advance.

peter_lehmann · ‎2011-07-07

Sorry, I was wrong with my example cli-lun-show*...

https://kb.netapp.com/support/index?page=content&id=3011260

You can set it to all commands with cli* or one level deeper e.g. cli-vol* or cli-lun*, that's it.

Peter

View solution in original post

peter_lehmann · ‎2011-07-06

Hi

You need to create a new local group (e.g. auditors) and a new role (e.g. r_auditors). Then add the command cli-lun-show* to the role and the user account into the group. This way this particular user can only execute the lun show cli command...

To have him connect with the cli you also need to add thisi capability to the role "r_auditors":

login-ssh

the command to accomplish this:

useradmin group

useradmin role

useradmin user

Hope this helps,

Peter

JITHUSUDHAKAR · ‎2011-07-06

Hi Peter

This is the command I gave:

useradmin role modify auditorrole -a login-ssh,cli-lun-show*

but getting error:

Invalid capabilities: cli-lun-show*

Thanks,

Jithu

JITHUSUDHAKAR · ‎2011-07-06

Anyone has any idea about this?

peter_lehmann · ‎2011-07-07

Sorry, I was wrong with my example cli-lun-show*...

https://kb.netapp.com/support/index?page=content&id=3011260

You can set it to all commands with cli* or one level deeper e.g. cli-vol* or cli-lun*, that's it.

Peter

JITHUSUDHAKAR · ‎2011-07-07

Thanks, Peter