Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

A

aussupport

17 Posts

2138

December 9th, 2013 21:00

Role Base Access for AD Groups

HI All,

I need to give two AD groups for Isilon Access.

  AdminGroup -- Login to Web Console and manage ( same as root)

  Backupgroup -  Only SynIQ access and Share  other area read only

monitorgroup-  read only

How do i setup this?

AS

crklosterman

450 Posts

December 10th, 2013 22:00

Hi AS,

First, it’s important to understand that in OneFS 7.0 and then 7.1 not all features are PAPI enabled, meaning you can get most features of root, but not all of them yet. With each 7.x release more is being added. But for most day to day administration tasks you’ll probably be just fine today on the latest 7.0.2 or 7.1 code.

Also, all RBAC configuration at this time is done through the CLI.

There are 2 concepts at play here:

Roles and Privileges.

Roles

A role is a collection of priviliges

A role has members.

Those members can be local users, or they can be users or groups from AD.

Privileges

Privileges give access to things on the system, and can be either read-only or R/W when added to a role

Some examples are

login via ssh

login to the webui

change NFS settings

change Quota Settings

etc.

There are some built in roles (or you can create your own):

#To view the roles on your cluster:

isi02-3# isi auth role list

Name

na75369

20 Posts

September 17th, 2014 19:00

U have simplified it..... Thanks....

I want to create a role which can only create

Modify and delete quotas of a particular smb share only. Please guide.

cadiletta

106 Posts

September 18th, 2014 08:00

You can create a new custom role:

# isi auth roles create QuotaAdmin

Then you can give this role access to the quota system:

# isi auth roles modify QuotaAdmin --add-priv ISI_PRIV_QUOTA

This provides access to all features of SmartQuotas. 

You can see the available options for further modifying roles here:

# isi auth privileges --verbose

# isi auth roles modify --help

na75369

20 Posts

September 23rd, 2014 11:00

Thanks.... I did the same and it works...

zerothehero

64 Posts

September 5th, 2019 07:00

Sorry for digging this old one out:

Does this actually work for AD users or groups? I was trying around and could only make this work for Local Users.

Isilon is joined to an AD in the System Zone.

View More

View All

No Events found!

Top