user role add
Assign an operational role to a user account. A role is a profile defining a level of access and authority with respect to the appliance.
The purpose of this command in combination with the user add command is to apply one of the possible roles to a new named user, which defines the scope of access and authority of that named user. This user role add command adds a role to a named LunaSH administrative or auditor user that you have already created with the user add command. This command is available only to the original admin account, and cannot be used to modify the predefined admin, operator, monitor or audit accounts (whose names are permanently the same as their roles).
See Appliance Users and Roles in the Administration Guide for more information.
Users
A user is an identity on the SafeNet appliance. A user has a name. The name of a user can be one of the following:
>a predefined user name (the general administrative users admin, operator or monitor, and the special audit user whose only function is managing the auditing of the HSM.
>any name that you wish to use for operational convenience, as created using the command user add.
Predefined Roles
The available predefined roles are admin, operator, monitor or audit. These predefined role names are the same as the names of the built-in, permanent user names. A predefined user always has the same role as its name.
In addition to the predefined users, you can create a user account and assign one of the predefined roles to it, which confers upon that user a specific access and authority on the appliance.
Custom Roles
In addition to the predefined roles, you can use the command user role import to create a custom role. A custom role is able to perform a set of commands that you provide in a file and upload to the appliance. For example, you could create a role called snmp that is able to access only the SNMP commands. See Appliance Users and Roles.
Example
For example, we can create a new user called "indigo" and give indigo the authority of "operator". Therefore, if you can log in as the built-in user named "operator", you can perform read-and-write operations with some limits, and if you can log in as user "indigo", you have exactly the same scope of operation and abilities/constraints as would someone logged in as user "operator". Of course, this assumes that the role is also enabled with user enable command.
Adding a role to a user displaces or overwrites any previous role held by that user. To see the role currently held by a user, run the user role list -username <username> command.
User Privileges
Users with the following privileges can perform this command:
>Admin
Syntax
user role add -username <username> -role <rolename>
Argument(s) | Shortcut | Description |
---|---|---|
-username <username> | -u | Specifies the name of the existing named user account to which the role is being added. |
-role <rolename> | -r |
The name of the administrative role being added to that user. The available default roles, in descending order of capability are admin, operator, and monitor, for general administration, and audit for managing HSM auditing functions. Valid values: admin, operator, monitor, audit, or a custom role |
Example
lunash:>user role add -username james -role audit User james was successfully modified. Command Result : 0 (Success)