Instruction manual
Chapter 2 Installation, Configuration and Management
NetScaler 9000 Series Installation and Configuration Guide - Volume 1 2-67
NSICG60_DEC04
z Command policy inheritance - All users inherit the policies of the groups
to which they belong.
z Explicit policy prioritization - Priorities must be assigned to all policies
when bound to users and groups to define precedence in policy
enforcement by the system against user actions.
2.6.4.6 Creating Command Policies
The syntax for creating a command policy uses a basic add action, as shown
below. With the add action, you will define either an ALLOW or DENY
policy action which is based on a command specification expression. This
expression enumerates an area of command line usage, which the policy will
allow or deny user access to once it is bound. The command example below
illustrates this complete structure.
add system cmdPolicy <policyName> (ALLOW|DENY) <cmdSpec>
To build a command policy, standard regular expressions are used for the
cmdSpec parameter to match commands on the NetScaler Command Line
Interface. Before creating these regular expressions for command policies,
keep these following points in mind.
z Command policy regular expression strings must be enclosed in double
quotes when added.
z Command policy regular expressions are case insensitive.
z The ‘help’ command is not subject to any command policies.
The table below illustrates a few sample cmdSpec regular expressions and
what commands they will match.
Command Specification Matches These Command Attempts
“^rm.*” All remove actions
“^show.*” All show commands
“^shell” The shell command
“^add\s+vserver.*” Create a vserver
“^add\s+(lb\s+vserver).*” Create an lb vserver
“^set\s+lb.*” Set load balancing settings at the command
group level