An application needs special access to a SnapLock- Volume (api-*,login-http-admin). For tests I created 2 vFiler to separate access and data from other volumes and application on a simulator. I have used following commands to create the special access on vfiler1:
vfiler run vfiler1 useradmin group add f1app
vfiler run vfiler1 useradmin user add f1appuser -g f1app
vfiler run vfiler1 useradmin role add f1api_commands -c "Role for executing API commands on vfiler1" -a api-*,login-http-admin
vfiler run vfiler1 useradmin group modify f1app -r f1api_commands
I have to be sure that there is no way to get access with “f1appuser” to the basesystem (vfiler0) or other vfiler. A college thinks with “login-http-admin” access within vfiler1 it is possible to get access to the basesystem (vfiler0) or manipulate something on basesystem.
Is the any chance for “f1appuser” to get access outside of vfiler1?