Jump to content
Welcome to our new Citrix community!
  • 0

App admin needs access to a one VIP on the NetScaler.


Mustafa AliKhan

Question

4 answers to this question

Recommended Posts

  • 0

Create your admin as a system user account or identify it as a system group account.

Create a custom command policy that's based on read-only or operator and then add the necessary regex for  the verbs and objects you want to manage. Ensure all the dependent objects contain an appropriate App prefix and then they will be limited to editing only objects with that naming convention.

 

You need the read-only rights to show all objects in a given node or the gui won't load...but something like this would limit edits to only things starting with appA_<stuff> in its name:

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)|(^(enable|disable|add|rm|set|unset|bind|unbind) (server|service|(lb vserver)|(lb monitor)|(ssl vserver)) appA_.*)

 

You can adjust if they don't need access ssl vserver and cert settings or monitor changes...

But the object conventions may need to be:

appA_lb_vsrv

appA_svc1

etc...

 

 

Link to comment
  • 0
On 11/11/2020 at 1:55 PM, Rhonda Rowland1709152125 said:

Create your admin as a system user account or identify it as a system group account.

Create a custom command policy that's based on read-only or operator and then add the necessary regex for  the verbs and objects you want to manage. Ensure all the dependent objects contain an appropriate App prefix and then they will be limited to editing only objects with that naming convention.

 

You need the read-only rights to show all objects in a given node or the gui won't load...but something like this would limit edits to only things starting with appA_<stuff> in its name:

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)|(^(enable|disable|add|rm|set|unset|bind|unbind) (server|service|(lb vserver)|(lb monitor)|(ssl vserver)) appA_.*)

 

You can adjust if they don't need access ssl vserver and cert settings or monitor changes...

But the object conventions may need to be:

appA_lb_vsrv

appA_svc1

etc...

 

 

Thank you!!  I have had no success yet but I know where to modify the settings.

Link to comment
  • 0
On 11/12/2020 at 1:25 AM, Rhonda Rowland1709152125 said:

Create your admin as a system user account or identify it as a system group account.

Create a custom command policy that's based on read-only or operator and then add the necessary regex for  the verbs and objects you want to manage. Ensure all the dependent objects contain an appropriate App prefix and then they will be limited to editing only objects with that naming convention.

 

You need the read-only rights to show all objects in a given node or the gui won't load...but something like this would limit edits to only things starting with appA_<stuff> in its name:

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)|(^(enable|disable|add|rm|set|unset|bind|unbind) (server|service|(lb vserver)|(lb monitor)|(ssl vserver)) appA_.*) mybizaccount

 

You can adjust if they don't need access ssl vserver and cert settings or monitor changes...

But the object conventions may need to be:

appA_lb_vsrv

appA_svc1

etc...

 

 

Thanks for this. This worked exactly as expected.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...