SmartLock is currently not enabled for RBAC and requires root access to execute any changes. So any other account used to access the CLI will not have permissions to execute any changes to SmartLock directory settings. Only root can make changes.
See the enclosed info from the OneFS Security Configuration guide listing isi commands and the associated privilege required.
Can the root user grant other administrator/user the "isi worm" privilige, and at the same time restrict this administrator/user from having certain priviledge with SmartLock directory setting?
I am looking for a way to create a administrator user with privledge to manage smart lock directories, and restrict this administrator from having capability to create smart lock directory with certain settings (e.g. autocommit, privdel).
At this time unfortunately no, RBAC (role based access control) privileges do exists for WORM commands, they have to executed as root.
As One 7.x continues to evolve additional privileges for RBAC enablement are included, with each release we continue to see more of the OS becoming RBAC ready and operational. We saw a very large number of new commands enabled for RBAC in 7.1 compared to 7.0.x.
Stay tuned for when it become available.
russ
wak1% isi smartlock list -l
Commands not enabled for role-based administration require root user access.
russ_stevenson
17 Posts
0
November 25th, 2013 08:00
SmartLock is currently not enabled for RBAC and requires root access to execute any changes. So any other account used to access the CLI will not have permissions to execute any changes to SmartLock directory settings. Only root can make changes.
See the enclosed info from the OneFS Security Configuration guide listing isi commands and the associated privilege required.
jenny_lam
1 Rookie
•
57 Posts
0
January 8th, 2014 10:00
Hi Russ, thanks for following up on this.
Can the root user grant other administrator/user the "isi worm" privilige, and at the same time restrict this administrator/user from having certain priviledge with SmartLock directory setting?
I am looking for a way to create a administrator user with privledge to manage smart lock directories, and restrict this administrator from having capability to create smart lock directory with certain settings (e.g. autocommit, privdel).
russ_stevenson_
25 Posts
1
January 8th, 2014 12:00
Hi Jenny,
At this time unfortunately no, RBAC (role based access control) privileges do exists for WORM commands, they have to executed as root.
As One 7.x continues to evolve additional privileges for RBAC enablement are included, with each release we continue to see more of the OS becoming RBAC ready and operational. We saw a very large number of new commands enabled for RBAC in 7.1 compared to 7.0.x.
Stay tuned for when it become available.
russ
wak1% isi smartlock list -l
Commands not enabled for role-based administration require root user access.