Home > |
---|
Access the user role commands to manage the roles associated with a user account.
The options are:
•Apply a named role, matching one of the system-default general administrative users ('admin', 'operator', 'monitor', or 'audit'), to a custom-named user (could be something like like 'John', 'interbank01', 'backup admin', or any name you could make up to have meaning in your scenario). This gives the new named user the full abilities and restrictions of the named role. The primary use is to have named persons or profiles who can be identified in activity logs - for example, rather than several entries that identify as 'admin', and who must all share the credentials of 'admin', such that you don't know which one was logged in at a specific time, you could identify 'admin1', 'admin2', 'admin3', etc. Each has the same authority and capability as the system 'admin' role, but now you can identify which 'adminX' was logged on and performing actions when a security event occurred.
•Apply a custom-specified role description to a custom-named user. This allows you to choose any command from the repertoire of any of the default named user's roles and grant the use of that command to the named user. Specify a list of all the commands that you want this user to perform, and simply omit from your list any commands that the user should not be able to access. The list is saved in a standard format under a custom role name, and you import that custom role to your custom-named users.
Note: There is no default set of commands onto which a custom role is added. You are not starting from a "base" accessible list (like one of the system-default roles). The custom role starts from zero commands available and gives access to only the exact commands on the list that you provide.
If a command is explicitly listed in a named role file, then any user to which that custom role is applied can invoke that command; if a command is not in that custom role list-file, then that user has no access to that command. No other path provides any access to commands that are not defined in the file. The file can be reused; that is it can be added to as many named users as you wish, on as many network HSM appliances as you wish.
user role
add
clear
delete
import
list
remove
Option | Shortcut | Description |
---|---|---|
add | a | Add a role to a LunaSH user. See user role add. |
clear | c | Clears user role assignments. See user role clear. |
delete | d | Delete a role from a LunaSH user. See user role delete. |
import | i | Import role from file. See user role import. |
list | l | List the possible role assignments. See user role list. |
remove | r | Remove role. See user role remove . |