SUMMARY:

Role Based Access Control(RBAC) plays an important role in separating roles and segregating privileges. Roles are assigned to each user and policies are created to enforce access to the objects (entities) by the subjects (roles). This particular blog describes a use case of managing the AGEE user accounts (asked in Using Role Based Access Control(RBAC) to securely manage the NetScaler configuration).

A commandSpec is a regular expression through which the permission to execute configuration commands on NetScaler are determined. A commandPolicy can either allow or deny commands present in a commandSpec. A user will have only those permissions that are defined by the commandPolicy.

Steps for creating commandSpec which will allow a user to add/remove AGEE user accounts:

Assuming the admin has followed the steps for creating AGEE server on NetScaler and a user user1 is created.

  • The commandPolicy (add_aaa) is created with the following commandSpec:

add system commandPolicy add_aaa ALLOW (^add\s+aaa\s+user\s+[a-zA-Z0-9]+\s+(-password)\s+.+$)|(^(rm|bind|unbind|set)\s+aaa\s+user\s+.+)|(^show\s+aaa\s+user.*)|(^show\s+vpn\s+intranetApplication.*)

As shown in the screenshot, the valid commands are shown in green and commands that do not match with the commandSpec are shown in red.

The above commandSpec can be divided into following:

1)“(^add\s+aaa\s+user\s+[a-zA-Z0-9_]+\s+(-password)\s+.+$)”

Allow user1 to add new AGEE users.

2)“(^(rm|bind|unbind|set)\s+aaa\s+user\s+.+)”

Allow user1 to (a) remove an existing AGEE user, (b) bind/unbind an SSL/VPN user to intranetApplication or intranetIP and (c) set new password the AGEE user.

3)“(^show\s+aaa\s+user.*)”

Allow user1 to list existing AGEE users. The user1 can select an AGEE user and remove him or change properties of that user.

4)“(^show\s+vpn\s+intranetApplication.*)”

Allow user1 to view available intranetApplications. This commandSpec is required if user1 wants to change intranetApplication settings for AGEE users.

  • The commandSpec “add_aaa” is bound to user1.
  • Now using the above command policy user1 will have permissions for adding/removing or set properties of AGEE users.

So, by using the RBAC feature, a user can easily manage the AGEE user accounts without affecting other settings.