Manualshelf

Instruction manual

ManualsBrandsCitrix Systems ManualsSwitch9000 Series
919293949596979899100
Chapter 2 Installation, Configuration and Management
2-70 NetScaler 9000 Series Installation and Configuration Guide - Volume 1
NSICG60_DEC04
combination with the group example that follows, creates a cumulative policy
which will give system user johnd general but restricted access to the
NetScaler CLI interface.
In this situation it is necessary to assemble command policies for a small set
of users on a user by user basis. In system user johnd’s case, he is to be
granted feature level configuration access but not NetScaler system level
access. To create this level of access, these three previously mentioned
policies will be used.
> add system cmdPolicy deny_all_rm DENY “^rm.*”
> add system cmdPolicy deny_all_sh DENY “^shell”
> add system cmdPolicy deny_system_cmnd DENY “*.system.*”
When binding these policies system user johnd, priorities are assigned to
define their order of evaluation.
> bind system user johnd deny_system_cmnd 1
> bind system user johnd deny_all_rm 5
> bind system user johnd deny_all_sh 10
The first command policy here will prevent johnd from accessing system
level configuration commands. Next, he is disallowed access to the shell
command in order to prevent modification at that level. Finally, the last policy
will deny johnd all removal actions.
At this point, you may notice that by themselves, these policies are ineffective
at restricting the user’s access as the NetScaler system’s default DENY
command policy already restricts all user access to CLI commands. The group
command policy example will resolve this and make user johnd’s command
policies valid.
Binding Command Policies per Group
Here again the group and user examples from section 2.6.3.1 are reused.
Recall that the system user johnd was made a member of the nocusers system
group. This example relies on johnd’s group membership to create his overall
user policy.
Using the
default_deny_override policy created earlier and reused
here, the system’s DENY policy is overridden, allowing full NSCLI access.
> add system cmdPolicy default_deny_override ALLOW “^.*”