Manualshelf

Instruction manual

ManualsBrandsCitrix Systems ManualsSwitch9000 Series
919293949596979899100
Chapter 2 Installation, Configuration and Management
NetScaler 9000 Series Installation and Configuration Guide - Volume 1 2-71
NSICG60_DEC04
> bind system group nocusers -policyName
default_deny_override 100
Note again that the policy has been bound to the nocusers group with a
priority of 100. This will ensure the ordering of the priority among any other
policies that may later be bound against this group.
Now that all of the group and user command policies are in place, the
complete order of policy evaluations for johnd can be explained. The user
johnd’s direct policies will be evaluated first, preventing access to system
command group commands, remove actions and access to shell, in that order
of priority. Due to his group membership, the user will otherwise have access
to remaining commands because of the group’s default deny override policy.
The next section explains how the NetScaler’s command policy evaluation
procedure causes this overall policy order to achieve the desired level of user
access for johnd.
2.6.4.9 Evaluation Process in Command Policy Application
As previously mentioned, a user’s set of applicable command policies is an
aggregate of their direct policies and those bound to them implicitly via group
memberships. Every time a user enters a command, the system will search
through the user’s aggregate set of policies until it finds an explicit ALLOW
or DENY action which matches the entered command. When a match is
found, the system exits the command policy search after enforcing the defined
action. If no matching policy is found, the user’s access to the command is
denied, per the system’s default deny policy.
When applying policies to system users and groups keep in mind how the
NetScaler system internally ties policies to users. Firstly, the system orders
and executes policies based on assigned priorities, ordering user and group
bindings together. In the case of user johnd above, if the policy bound to the
nocuser group had been bound with a priority of 9 rather than 100, the system
would have ordered that group policy before johnd’s last policy which has a
priority of 10. Secondly, when identical priorities are encountered between
two command policies, the system orders them linearly. That is to say, these
policies are evaluated in first in - first out order in regards to the when the
policies were initially bound.
Note: Care must be taken when placing a user into multiple groups so that
unintended user command restrictions or privileges are not
inadvertently produced when the system aggregates policies for users.