|
Home > |
|---|
A user is an identity on the SafeNet appliance. A user has a name. The name of a user:
•can be one of four standard/ built-in user names (the general administrative users 'admin', 'operator' or 'monitor', and the special 'audit' user whose only function is managing the auditing of the HSM), or
•it can be any name that you wish to make up for operational convenience.
A role is a profile defining a level of access and authority with respect to the appliance. A role has a name that can be any of 'admin', 'operator', 'monitor' or 'audit'. Those role names happen to be the same as the names of the built-in, permanent user names. The access and authority conferred by a role do not change.
A named user - one that you create - can have one of the four roles assigned to it, which confers upon that user a specific access and authority on the appliance. A built-in user always has the same role as its name, but a named user can have any one of the four roles, which then defines what that named user can do on the appliance.
This user role add command adds a role to a named LunaSH administrative or auditor user that you have already created with the user add command. This command is available only to the original ‘admin’ account, and cannot be used to modify the "built-in" 'admin', 'operator', 'monitor' or 'audit' accounts (whose names are permanently the same as their roles).
The purpose of this command in combination with the user add command is to apply one of the possible roles to a new named user, which defines the scope of access and authority of that named user.
For example, in the sample below, we create a new user called "indigo" and give indigo the authority of "operator". Therefore, if you can log in as the built-in user named "operator", you can perform read-and-write operations with some limits, and if you can log in as user "indigo", you have exactly the same scope of operation and abilities/constraints as would someone logged in as user "operator". Of course, this assumes that the role is also enabled with user enable command.
Adding a role to a user displaces or overwrites any previous role held by that user. To see the role currently held by a user, run the user role list -userName <username> command.
user role add -username <username> -role <rolename>
| Parameter | Shortcut | Description |
|---|---|---|
| -username | -u | Specifies the name of the existing named user account to which the role is being added. |
| -role | -r | The name of the administrative role being added to that user. The available roles, in descending order of capability are admin, operator, and monitor, for general administration, and audit for managing HSM auditing functions. |
lunash:>user role add -role operator -username indigo
User indigo was successfully modified.
Command Result : 0 (Success)
lunash:>user role list -userName indigo Roles for user indigo: -------------------------------------------------- operator -------------------------------------------------- Command Result : 0 (Success)