App admin needs access to a one VIP on the NetScaler.

[Mustafa AliKhan]

I have a user needing access to one VIP on the NetScaler to update, add, or modify the virtual server entries.   We don't have ADM.  I am new to NetScaler and need some guidance from the experts.   Any assistance would be greatly appreciated.  We are currently running VPX NS12.0 63.21.nc.   

[Diego Oliveira]

Check if the following Citrix CTX article helps:

https://support.citrix.com/article/CTX138901

[Rhonda Rowland1709152125]

Create your admin as a system user account or identify it as a system group account.

Create a custom command policy that's based on read-only or operator and then add the necessary regex for  the verbs and objects you want to manage. Ensure all the dependent objects contain an appropriate App prefix and then they will be limited to editing only objects with that naming convention.

 

You need the read-only rights to show all objects in a given node or the gui won't load...but something like this would limit edits to only things starting with appA_<stuff> in its name:

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)|(^(enable|disable|add|rm|set|unset|bind|unbind) (server|service|(lb vserver)|(lb monitor)|(ssl vserver)) appA_.*)

 

You can adjust if they don't need access ssl vserver and cert settings or monitor changes...

But the object conventions may need to be:

appA_lb_vsrv

appA_svc1

etc...

 

 

[Stewart Roth]

On 11/11/2020 at 1:55 PM, Rhonda Rowland1709152125 said:

Create your admin as a system user account or identify it as a system group account.

Create a custom command policy that's based on read-only or operator and then add the necessary regex for  the verbs and objects you want to manage. Ensure all the dependent objects contain an appropriate App prefix and then they will be limited to editing only objects with that naming convention.

 

You need the read-only rights to show all objects in a given node or the gui won't load...but something like this would limit edits to only things starting with appA_<stuff> in its name:

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)|(^(enable|disable|add|rm|set|unset|bind|unbind) (server|service|(lb vserver)|(lb monitor)|(ssl vserver)) appA_.*)

 

You can adjust if they don't need access ssl vserver and cert settings or monitor changes...

But the object conventions may need to be:

appA_lb_vsrv

appA_svc1

etc...

 

 

Thank you!!  I have had no success yet but I know where to modify the settings.

[Oscar Norton]

On 11/12/2020 at 1:25 AM, Rhonda Rowland1709152125 said:

Create your admin as a system user account or identify it as a system group account.

Create a custom command policy that's based on read-only or operator and then add the necessary regex for  the verbs and objects you want to manage. Ensure all the dependent objects contain an appropriate App prefix and then they will be limited to editing only objects with that naming convention.

 

You need the read-only rights to show all objects in a given node or the gui won't load...but something like this would limit edits to only things starting with appA_<stuff> in its name:

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)|(^(enable|disable|add|rm|set|unset|bind|unbind) (server|service|(lb vserver)|(lb monitor)|(ssl vserver)) appA_.*) mybizaccount

 

You can adjust if they don't need access ssl vserver and cert settings or monitor changes...

But the object conventions may need to be:

appA_lb_vsrv

appA_svc1

etc...

 

 

Thanks for this. This worked exactly as expected.