System Administration has the problem of sorting out relation between security in one hand and functionality and ease of use in other. The ability to judge the type of information to be accessed by employees and ensuring the same with completely secure entities is not an easy task. Role Based Access Control(RBAC) plays an important role in separating roles and segregating privileges. Roles are assigned to each user and policies are created to enforce access to the objects (entities) by the subjects (roles). This blog describes the flexibility and functionality of RBAC module in a NetScaler appliance.
RBAC in a NetScaler appliance has four built-in roles which includes Operator, Read-only, Network and Superuser. The Superuser role is similar to the default nsroot administrator of the appliance. The Operator enables you to perform some basic operations with Configuration entities. However with the read-only, you can only list the entities. The Network role has more functionality as compared to the Operator role, but has some restrictions. You can modify all these roles by changing the respective command spec by using following command.
> set system cmdPolicy <policyName> <action> <cmdSpec>
The action here can be Allow/Deny and cmdspec is Regular expression.
In addition to default policies, the NetScaler Appliance contains options to create your own roles by running the “add cmdpolicy” command. The GUI of the appliance contains a good user interface to create and test the Command spec. The following screen shot of the NetScaler GUI enables you to create Regular expressions, if you are not well versed with the same.
Similar to the any Policy in NetScaler appliance, you must name a command policy. In the Command spec you need to specify a Regular Expression. The Analyzer in on right–hand side explains each notation you specify in the command spec field. The sample regular expression (^show\s+(?!system).*) used in the screen shot is to allow any show command other than “show system”. Notice that the Analyzer contains the complete explanation of the Regular Expression.
The Test commands is an additional feature that you can use to test the Command Spec behavior for a specific command. Commands shown in Green are the one that matches the policy and commands shown in red are the one’s that don’t match the policy.
The NetScaler GUI provides additional flexibility to create the Command Spec based on different entity groups in the NetScaler appliance. When you click Add, the Add Command dialog box is displayed as shown in the following screen shot. Here you can choose the entity group’s along with Operations to be permitted for that particular group. You can exclude System commands that access the system parameters and need shell access.
Additionally, you have the flexibility to choose different entity groups and the Command Spec is created based on the selection. The Advanced tab does have similar functionality but the Command Spec can be created for Entities individually.
The next part of this blog will cover the use case deployments of this feature. Stay tuned.