Jump to content
Welcome to our new Citrix community!

Question about the read-only cmdPolicy

Ross Helfand

Recommended Posts



I found a strange issue.  We have a couple of old NSMPXs running NS10.5, and we have some newer VPXs running NS13.0.


On both platforms, we have created a read-only user that we use for some reporting/automation.  If I login to either platform as our read-only user and run 'show ns runningConfig' at the CLI, I get:

ERROR: Not authorized to execute this command


Which is what I expect, based on the command policy regex which allows 'show' but not 'show ns runningConfig':

> show system cmdPolicy read-only
Command policy: read-only       Action: ALLOW
cmdspec: (^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)

What is confusing me, is that if I curl or browse to https://HOST/nitro/v1/config/runningconfig on the NSMPX, it returns the config.  But on the VPX I get "not authorized."


I realize I can create a new command policy or alter this one, it's just bugging me that I can't figure out why it works on MPX/10.5.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...