Abstract:
Role Based Access Control (RBAC) plays an important role in the separation of roles and separate privileges. Roles are assigned to each user and policies are created to enforce access to objects (entities) by the subjects (roles). This particular blog describes a use case management Agee user accounts (requested in Using Role Based Access Control (RBAC) to safely manage the NetScaler configuration).
A commandSpec is a regular expression through which permission to run configuration commands on NetScaler are determined. A commandPolicy may permit or orders present in a commandSpec deny. A user will have only the permissions that are defined by the commandPolicy
commandSpec creation procedure that will allow the user to add / delete user accounts Agee :.
Assuming the administrator has followed the steps to create the ELDERLY NetScaler server and a user user1 is created
- the commandPolicy (of add_aaa) is created with the following :. commandSpec
add add_aaa of commandPolicy ALLOW system (^ add s + [a-zA-Z0-9] + s + (by + aaa s + user - password) s + $.) | (^ (Rm | bind | unbind | set) s + aaa s + s + user +) |. (^ Show s + aaa s + user *) | .. (^ show s + vpn s + intranetApplication *)
As shown in capture screen, valid commands are shown in green and commands that do not correspond with the commandSpec are shown in red.
above commandSpec can be divided into the following: "(^ add s + aaa s + user of + [a-zA-Z0-9_] + s + (- password) s +. + $) "
1)
Authorize user1 to add new users Agee
2). . "(^ (Rm | bind | unbind | set) s + aaa s + user s + +)"
Authorize user1 to (a) remove an existing AGED user, (b) bind / unbind an SSL / VPN user intranetApplication or intranetIP and (c) set the new password to the user ELDERLY.
3) "(^ show s + aaa s + user. *)"
allow user1 to the list of existing users Agee. User1 can select a user and AGEE remove him or change user property.
4) "(^ show s + vpn s + intranetApplication. *)"
allow user1 to see intranetApplications available. This is necessary if commandSpec user1 wants to change the settings for intranetApplication Agee users.
- The "add_aaa" commandSpec is related to user1.
- Now using the above control policy user1 will have permissions to add / delete or set properties for Agee users.
Thus, using RBAC, a user can easily manage user accounts Agee without affecting other settings.
0 Komentar