Creating Custom Appliance Roles

LunaSH allows you to create custom roles that can be assigned to custom users, to specify exacctly which commands that user is able to access. This allows you to delegate specific tasks to personnel according to your organization's security needs. An admin-level user can use the following procedure to create custom roles.

See LunaSH Command Summary in the LunaSH Command Reference Guide for a complete list of available commands.

The following commands (refer to the LunaSH Command Reference Guide) allow you to import, add, or remove a custom user role to your SafeNet Luna Network HSM appliance:

>user role import

>user role add

>user role delete

To create a custom appliance role and assign it to a user

1.Create a text file on your local workstation that lists each command that you want the role to be able to access (the role definition file).

For example, if you wanted the user Alex to be able to perform backup operations on your HSM but not restore operations, you would create a role definition file including backup commands and not including restore commands.

NOTE   All lines must end with a UNIX-style linefeed (lf) character. If you create your file in Windows, be sure to convert it to use UNIX line endings before transferring it to an HSM appliance.

2. Transfer the role definition file to the appliance using pscp (Windows) or scp (Linux/UNIX). You require the SafeNet Luna Network HSM appliance admin password (or an account with an admin role) to complete this step. The file is automatically placed in the appropriate directory on the appliance; do not specify a target directory (see SCP and PSCP).

3.Log into LunaSH as admin (or the user you specified when transferring the file).

4.Import the role definition file and specify a name for the new role.

LunaSH role names can be 1-64 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._
No spaces are allowed. Role names cannot start with a dot or dash. Creating a role name that begins with a number is not recommended. As with any secure system, no two roles can have the same name.

lunash:> user role import -file <filename> -role <rolename>

lunash:>user role import -file backuprole -role backup

"backuprole" was successfully imported.

Command Result : 0 (Success)

5.Create the user account that you want to assign the role to, if it does not already exist.

lunash:> user add -username <username>

6.Assign the role to the desired user.

lunash:> user role add -username <username> -role <rolename>


Customer Support Portal

SafeNet Luna Network HSM 7.4 Product Documentation  16 December 2019  Copyright 2001-2019 Thales. All rights reserved.