How to restrict the export policy commands to a specific group of users?
Applies to
- ONTAP 9
- Role-Based Access Control (RBAC)
Answer
- Start first by creating a security role for a user category with the command directory '
DEFAULT' access set to 'all'
Example:
::> security login role create -role restrict -cmddirname DEFAULT -access all
- Then for the same role, add the command directory '
vserver export-policy' access set to 'none'
::> security login role create -role restrict -cmddirname "vserver export-policy" -access none -query ""
- Validate the configuration:
::> security login role show -role restrict
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
aff320-2n-rtp-2 restrict DEFAULT all
vserver export-policy none
-
Create a test user or a group and associate the role that you created with this user.
::> security login create -user-or-group-name test -application ssh -authentication-method password -role restrict
Please enter a password for user 'test':
Please enter it again:-
Validate by logging into a new session with
user:test, and run ‘vserver export-policy’ command, which should fail with an error:
::> whoami
(security login whoami)
User: test
Role: restrict
::> vserver export
Error: "export" is not a recognized command
::> vserver export-policy show
Error: "export-policy" is not a recognized command
