This post is more than 5 years old
16 Posts
0
4430
Question on using symauth and if it disables "root" from being able to run SE commands
I'm trying to confirm that using symauth for Symmetrix authorization will block the "root" user from being able to execute Symcli commands. The customer's requirement:
Everyone has the sudo privileges on Symcli server including Unix, Backup and Storage Admins. Their purpose is to restrict the box so that only Storage admin can run the commands , not even root users, can't I just enable user authorization with Symauth on the server and then just add the storage admin users to the Admin roles, etc... Won't this block the "root" user from being able to execute symcli commands?
Can I put “root” in the symauth table and give it a lesser role (like auditor, monitor, etc..)?
sauravrohilla
859 Posts
0
October 1st, 2013 08:00
Yes, you can enable the symauth on Symm and give the restricted access to the root user.
regards,
Saurabh
johndough1
16 Posts
0
October 1st, 2013 09:00
So, once symauth is enabled on the symmetrix, you can set the user "root" to have a "monitor" Role or Auditor role, or even no access to run symcli commands?
For example:
symauth -sid 0123 enable
symauth -sid 0123 -file assign_user.cmd commit
Where assign_user.cmd contains:
assign user root to role Monitor;
assign user johnd to role StorageAdmin;
etc....
thanks,
John
sauravrohilla
859 Posts
0
October 1st, 2013 10:00
yes.
johndough1
16 Posts
0
October 6th, 2013 20:00
I have a follow up question on this, if root is set for None or a less than Admin type role what about changes that need to update the symapi database, isn't the file owned by root with limited permissions? Also, I assume scripts ran by root where there are symcli commands called out will fail with symauth enabled and root having a limited role?
thanks,
John
sauravrohilla
859 Posts
0
October 6th, 2013 23:00
Yes you are right, scripts configured with root user will fail once the symauth is enabled and root is not given the required access. I think thats what you were looking for in the first place.
In Windows, i have configured the users and symauth is enabled on VMAX. All users have WR access on the symapi directory.