Unsolved
This post is more than 5 years old
17 Posts
0
2180
Role Base Access for AD Groups
HI All,
I need to give two AD groups for Isilon Access.
AdminGroup -- Login to Web Console and manage ( same as root)
Backupgroup - Only SynIQ access and Share other area read only
monitorgroup- read only
How do i setup this?
AS
crklosterman
450 Posts
0
December 10th, 2013 22:00
Hi AS,
First, it’s important to understand that in OneFS 7.0 and then 7.1 not all features are PAPI enabled, meaning you can get most features of root, but not all of them yet. With each 7.x release more is being added. But for most day to day administration tasks you’ll probably be just fine today on the latest 7.0.2 or 7.1 code.
Also, all RBAC configuration at this time is done through the CLI.
There are 2 concepts at play here:
Roles and Privileges.
Roles
A role is a collection of priviliges
A role has members.
Those members can be local users, or they can be users or groups from AD.
Privileges
Privileges give access to things on the system, and can be either read-only or R/W when added to a role
Some examples are
login via ssh
login to the webui
change NFS settings
change Quota Settings
etc.
There are some built in roles (or you can create your own):
#To view the roles on your cluster:
isi02-3# isi auth role list
Name
na75369
20 Posts
0
September 17th, 2014 19:00
U have simplified it..... Thanks....
I want to create a role which can only create
Modify and delete quotas of a particular smb share only. Please guide.
cadiletta
106 Posts
1
September 18th, 2014 08:00
You can create a new custom role:
# isi auth roles create QuotaAdmin
Then you can give this role access to the quota system:
# isi auth roles modify QuotaAdmin --add-priv ISI_PRIV_QUOTA
This provides access to all features of SmartQuotas.
You can see the available options for further modifying roles here:
# isi auth privileges --verbose
# isi auth roles modify --help
na75369
20 Posts
0
September 23rd, 2014 11:00
Thanks.... I did the same and it works...
zerothehero
64 Posts
0
September 5th, 2019 07:00
Sorry for digging this old one out:
Does this actually work for AD users or groups? I was trying around and could only make this work for Local Users.
Isilon is joined to an AD in the System Zone.