Jump to content
Welcome to our new Citrix community!

Citrix ADC Command Policy Allow Show Running for a group

David Boxall

Recommended Posts

Note Test first; I won't have a system in front of me until this evening.  There are probably ways to restrict it more, but this should help.


The best way to start this custom policy, would be to create a copy of the read-only permissions and custom_readonly or custom_readonly_plus

original read-only:

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)


and remove the restriction on running the runningconfig.  There are potential risks here so, you could also try restricting it to show only:


custom_readonly1:  (removes the negative lookahead for ns runningConfig commands; though I think this might be overly broad)

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)


custom_readonly2:  adds limit to show ns runningConfig only: note .* is allowing for | grep and other commands...so again, broadly permissive. 

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)|(^show\s+ns runningConfig.*)



The other way, is be sure existing user/group already has read-only or higher permissions and use the following cmd_spec to grant allow permissions to show the ns runningconfig. Give it a higher priority to avoid conflicts and user/group will get the additive affects of all applied policies.


(^show\s+ns runningConfig.*)



Link to comment
Share on other sites

Tested the following config variations, which will allow show ns runningconfig in addition to default read-only permissions.  However, there may be some risks with permitting access to the runningconfig (which is why it is omitted by default).  Example 2 is probably the best approach as you can add this as an additional policy to existing permissions where needed.


Example 1:

add system cmdPolicy custom_readonly_plus_runconfig ALLOW "(^man.*)|(^show\\s+(?!system)(?!configstatus)(?!ns ns\\.conf)(?!ns savedconfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)"

add system user testadmin1 -password

bind system user testadmin1 custom_readonly_plus_runconfig 100

Broadly allows show ns runningConfig without restrictions. more/grep can be used.


Example 2: uses default read-only policy and additional custom_runconfig policy to allow the runningconfig pattern.

add system user testadmin2 

add system cmdPolicy custom_runconfig ALLOW "(^show\\s+ns runningConfig.*)"


bind system user testadmin2 custom_runconfig 10
bind system user testadmin2 read-only 20

NOTE for first example:

IF entering the policy specs in the GUI you do not need to escape the "?".

IF pasting into the CLI, the literal "?" have to be escaped in the cli as \? so when you paste them in, you end up with "?"

(actual cli entry - with escaped "?" as "\?"):

add system cmdPolicy custom_readonly_plus_runconfig ALLOW "(^man.*)|(^show\\s+(\?!system)(\?!configstatus)(\?!ns ns\\.conf)(\?!ns savedconfig)(\?!gslb runningConfig)(\?!audit messages)(\?!techsupport).*)|(^stat.*)"





Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...