A user account is always associated with a primary group and each group is assigned a role. A role defines the privileges (that is, the operations) the user can perform on a particular File object.
Defining role-based access for commands
This appendix provides information about how to setup role-based access for CLI commands. The first four tables list the CLI commands for which you can specify the privileges needed to perform different command actions. The object on which privileges are defined and the specific command actions available when Modify or Full Control privileges are selected are listed for each command. Using this information you can create a custom role (also known as a user role) that gives a user associated with this role exactly the privileges necessary to perform his job. Or you can associate a user with the predefined role that already includes Full Control privileges for the command. The first table lists the commands with the prefix cel. The second table lists the commands with the prefix fs. The third table lists the commands with the prefix nas. And the fourth table lists the commands with the prefix server.
You create and manage role-based administrative access with
Settings > Security > User Management > Local Users for File > Roles or
Settings > Security > User Management > User Customization for File > Roles. You must be root or a user associated with the Administrator or Security Administrator role to create a user account and to associate it with a group and role.
Read-only privileges
Regardless of the role with which he is associated, a user always has read-only privileges for all commands and command options that display information. Some of the command actions available with read-only privileges include info, list, status, and verify. The fifth table lists commands that users associated with any role can execute.
Commands not covered by the role-based access feature
The final table lists the commands that are not covered by the role-based access feature. Some of these commands invoke scripts, others are based on legacy executables, and others are associated with File objects that are not exposed. If the File object associated with a command is not exposed in
Create Role, you cannot create a custom (user) role that allows you to specify the privileges needed to perform different command actions. Consequently these commands can only be performed by the default user accounts root and nasadmin or, in some cases, by a user account associated with the root and nasadmin roles.
cel commands
NOTE:Object category lists the field in the
Roles dialogs where privileges can be set.
NOTE:All commands are also included in the NAS Administrator and Storage Administrator roles unless otherwise noted.
Table 1. cel commands
Command
Object category
Actions available with modify privileges
Actions available with full control privileges
Included in predefined role
cel_fs
Storage>File Systems
extract
import
FileMover Application
fs commands
NOTE:Object category lists the field in the
Roles dialogs where privileges can be set.
NOTE:All commands are also included in the NAS Administrator and Storage Administrator roles unless otherwise noted.
Table 2. fs commands
Command
Object category
Actions available with modify privileges
Actions available with full control privileges
Included in predefined role
fs_ckpt
Data Protection>Checkpoints
modify
refresh
create
restore
Data Protection
Data Recovery
Local Data Protection
fs_dhsm
Storage>FileMover
connection modify
modify
connection create
connection delete
FileMover Application
fs_group
Storage>File Systems
create
delete
shrink
xtend
FileMover Application
fs_rdf
Storage>Storage Systems
info
mirror
restore
fs_timefinder
Storage>File Systems
mirror
restore
snapshot
nas commands
NOTE:Object category lists the field in the
Roles dialogs where privileges can be set.
NOTE:All commands are also included in the NAS Administrator and Storage Administrator roles unless otherwise noted.
Table 3. nas commands
Command
Object category
Actions available with modify privileges
Actions available with full control privileges
Included in predefined role
nas_ckpt_schedule
Data Protection >Checkpoints
Data Protection >VTLU
modify
pause
resume
create
delete
Data Protection
Data Recovery
Local Data Protection
nas_copy
Data Protection> Replication
create
destination
source
interconnect
Data Recovery
nas_devicegroup
Storage>Storage Systems
acl
resume
suspend
nas_disk
Storage>Volumes
rename
delete
nas_diskmark
Storage>Storage Systems
mark
nas_fs
Storage>File Systems
modify
rename
translate access policy start
xtend
acl
create
delete
type
FileMover Application
nas_fsck
Storage>File Systems
start
FileMover Application
nas_license
System>Licenses
create
delete
init
Security Administrator (not included in the NAS Administrator and Storage Administrator roles)
nas_pool
Storage>Pools
modify
shrink
xtend
create
delete
nas_quotas
Storage>Quotas
Storage>File System
edit
on | off
clear
nas_replicate
Data Protection>Replication
modify
refresh
create
delete
failover
reverse
start
stop
switchover
Data Recovery
nas_server
System>Data Movers
Protocols>CIFS
acl
rename
create
delete
(System>Data Movers object category)
vdm
(Protocols>CIFS object category)
nas_slice
Storage>Volumes
rename
create
delete
nas_storage
Storage>Storage Systems
modify
rename
acl
delete
fallback
sync
nas_task
System>Task
abort
delete
All users can abort and delete any task they own but only root user can abort and delete tasks owned by any user
nas_volume
Storage>Volumes
rename
xtend
acl
clone
create
delete
server commands
NOTE:Object category lists the field in the
Roles dialogs where privileges can be set.
NOTE:All commands are also included in the NAS Administrator and Storage Administrator roles unless otherwise noted.
Table 4. server commands
Command
Object category
Actions available with modify privileges
Actions available with full control privileges
Included in predefined role
server_arp
Networking>NIS
delete
set
Network Administrator
server_cdms
Storage>Migration
convert
halt
start
connect
disconnect
server_certificate
Security>Public Key Certificates
cacertificate delete
cacertificate import
persona clear
persona generate
persona import
Security Administrator (not included in the NAS Administrator and Storage Administrator roles)
server_cifs
Protocol>CIFS
disable
enable
join
rename
replace
unjoin
update
add
delete
migrate
server_cifssupport
Protocols>CIFS
acl
secmap update
secmap create
secmap delete
secmap import
secmap migration
server_cpu
System>Data Movers
halt
reboot
server_date
System>Data Movers
timesvc hosts
timesvc start
timesvc update
timesvc delete
timesvc set
timesvc stop
server_devconfig
Storage>Storage System
rename
create
server_dns
Networking>DNS
option
delete
protocol
Network Administrator
server_export
Protocols>NFS
or
Protocols>CIFS
unexport
protocol (NFS)
server_ftp
Protocols>NFS
modify
service stat reset
service start | stop
Network Administrator
server_http
Storage>FileMover
modify
appand
remove
service start | stop
FileMover Application
server_ifconfig
Networking>Interfaces
up
down
ipsec and noipsec (Applicable only to systems running VNX OE for file earlier than version 8.x.)
mtu
vlan
create
delete
Network Administrator
server_ip
Networking>Routing
neighbor create | delete
route create | delete
Network Administrator
server_kerberos
Protocols>CIFS
keytab
ccache
kadmin
add
delete
Security Administrator (not included in the NAS Administrator and Storage Administrator roles)
server_ldap
Networking>NIS
set
clear
service start | stop
Network Administrator
server_mount
Storage>File Systems
all
force
options
FileMover Application
server_mountpoint
Storage>File Systems
create
delete
server_name
System>Data Movers
<new_name>
server_nfs
Protocols>NFS
user
v4 client
v4 stats zero
service
principal
v4 service
command options mapper set and mapping can only be executed by root
server_nfsstat
Protocols>NFS
zero
server_nis
Networking>NIS
delete
Network Administrator
server_param
System>Data Movers
facility
server_rip
Networking>Routing
ripin
noripin
Network Administrator
server_route
Networking>Routing
add
delete
flush
deleteAll
Network Administrator
server_security
Protocols>CIFS
modify
update
add
delete
Security Administrator (not included in the NAS Administrator and Storage Administrator roles)
server_setup
System>Data Movers
load
protocol
load
server_snmp
Networking>NIS
community
location
syscontact
Network Administrator
server_standby
System>Data Movers
activate
restore
create
delete
server_stats
Storage>File Systems
monitor
noresolve
service
server_sysconfig
Networking>Devices
pci
virtual new
virtual delete
Network Administrator
server_umount
Storage>File Systems
temp
all
perm
FileMover Application
server_usermapper
Protocols>CIFS
disable
enable
import
remove
Security Administrator (not included in the NAS Administrator and Storage Administrator roles)
server_vtlu
Data Protection>VTLU
service set
storage extend
storage export
storage import
tlu modify
drive umount
storage delete
storage new
tape eject
tape inject
tlu delete
FileMover Application
Table 5. Commands all roles have privileges to execute
Command
nas_inventory
server_checkup
server_df
server_ping
server_ping6
server_sysstat
server_uptime
server_version
Table 6. Commands not covered by the role-based access feature
Command
Notes
cs_standby
Requires root privileges
nas_acl
Can be executed with nasadmin privileges
nas_automountmap
Can be executed with nasadmin privileges
nas_ca_certificate
Requires root privileges to generate a certificate
nas_cel
Can be executed with nasadmin privileges
nas_checkup
Can be executed with nasadmin privileges
nas_connecthome
Requires root privileges to modify and test
nas_config
Requires root privileges
nas_cs
Requires root privileges
nas_emailuser
Can be executed with nasadmin privileges
nas_event
Can be executed with nasadmin privileges
nas_halt
Requires root privileges
nas_logviewer
Can be executed with nasadmin privileges
nas_message
Can be executed with nasadmin privileges
nas_mview
Requires root privileges
nas_rdf
Requires root privileges
nas_version
Can be executed with nasadmin privileges
server_archive
Can be executed with nasadmin privileges
server_cepp
Can be executed with nasadmin privileges
server_dbms
Requires root privileges to delete, compact, repair, and restore the database
server_file
Can be executed with nasadmin privileges
server_ipsec
Can be executed with nasadmin privileges
server_iscsi
Can be executed with nasadmin privileges
server_log
Can be executed with nasadmin privileges
server_mpfs
Can be executed with nasadmin privileges (Applicable only to systems running VNX OE for file earlier than version 8.x.)
server_mt
Can be executed with nasadmin privileges
server_netstat
Can be executed with nasadmin privileges
server_nfs
Requires root privileges to configure secure NFS mapping
server_pax
Requires root privileges to reset stats
server_snmpd
Can be executed with nasadmin privileges
server_stats
Can be executed with nasadmin privileges
server_tftp
Can be executed with nasadmin privileges
server_user
Can be executed with nasadmin privileges
server_viruschk
Can be executed with nasadmin privileges
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\