I am trying to create a custom role to limit the rights of a domain-based service account we use exclusively to run PowerShell scripts. The role resides in the main cluster SVM and I've only given it rights to change the replication throttle setting as shown below. I assigned the role to the service account with the applications ssh and ontapi. When testing, it immediately generated this error: "Insufficient privileges: user '<username>' does not have read access to this resource". Apparently I need to give at least read only access to a certain command to allow it to log on in the first place. Does anyone know what that would be?
Role Name: script Command / Directory: vserver options Access Level: all Query: -option-name replication.throttle.outgoing.max_kbs
The service account has two entries, one for the ontapi application and one for the ssh application. Previously the role was set at admin, and I just changed the role to the new 'script' role with limited rights to see if it would work. I manually ran the script both before and after the change. While set to admin it worked fine of course, but when I switched it to the new role, it generated the error I mentioned. I think there's a command path I need to give read only access to but don't know what that would be.
Error: command failed: not authorized for that command
cluster1::> ? exit Quit the CLI session history Show the history of commands for this CLI session man Display the on-line manual pages redo Execute a previous command rows Show/Set the rows for this CLI session top Go to the top-level directory up Go up one directory vserver> Manage Vservers
That's the one for throttling. The one for unthrottle is the same except "unlimited" at the end instead of 3125. This is used on multiple remote offices and works fine as long as the account has full admin rights. I'm trying to reduce the service account rights down to just the ones it needs to perform the task.
Thanks @jcolonfzenpr . It actually works with just the following two lines:
security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1 security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1
Having said that, I don't want to give even read only rights to EVERYTHING. My goal is to give only the minimal rights required, which means read only rights just to the command or command directory required to be able to log in.