Jump to content
Welcome to our new Citrix community!

Command policy to restrict access to specific vservers


Davide Bono

Recommended Posts

Here's an example thread here:  https://discussions.citrix.com/topic/411213-app-admin-needs-access-to-a-one-vip-on-the-netscaler/

Here's the trick, you can't restrict the GUI to showing only the vms with certain names or none of the vms will display; you have to grant read access to all the vservers you need; but you can limit the ability to run the verbs: add/rm/set/unset/bind/unbind etc.... to those with specific naming conventions.

 

I can try to revise the example from the thread with more info later, if you need additional info.

 

Link to comment
Share on other sites

Now, that I have a few more minutes.

Assuming the vservers you want the admin to edit have a specific naming convention, like:  AppA_<stuff> or other variant, you can define a regex like so.

 

 

For editing, changes to lb vserver (or vserver and other entities):

1) start with read-only and then add the modify rights:

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)|(^(enable|disable|add|rm|set|unset|bind|unbind) ((lb vserver)|(ssl vserver)) appA_.*)

 

With services/servers/monitors, too:

(^man.*)|(^show\s+(?!system)(?!configstatus)(?!ns ns\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)|(^(enable|disable|add|rm|set|unset|bind|unbind) (server|service|(lb vserver)|(lb monitor)|(ssl vserver)) appA_.*)

 

2)  The problem with showing ONLY the vservers with a certain naming convention with a cmd policy, is that the GUI won't load any of the vservers if the show lb vserver .* won't run.

Trying to do a (show lb vserver AppA_.*) variant, will just fail to show any lb vserver in the gui.

From the cli, you can be that restrictive, but the HTML5 gui won't load a partial list for show commands. (Note: back in the 9.x/java days you could do this).

 

The only other way to limit what the admin can SEE and Edit, would be to use an admin partition instead. And limit which items are in that partition. However, not all features are supported in an admin partition. Load Balancing yes (some other features like appfw/appflow/gateway vpn vservers are not supported at all.)

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...