Operations
The following is a high-level overview of how to configure this feature.
- Configure the LDAP server information.
- Create or configure a local account, an individual LDAP user, or an LDAP group.
- Allocate a set of device access privileges to the user or group. These privileges can be controlled at the Manager devices, non-Manager devices, or sites level.
Device access permissions
A user can execute the nut shell with limited commands, based on the permissions
that he or she has been granted. The user can have the following permissions:
| Permissions | Allowed Commands | Denied Commands |
|---|---|---|
| Root | activate, appliance, bgp, channel, dump-log, edit, enclosure, health, help, ipmi, manager, note, ping, ping6, port, poweroff, reboot, route, scp, serial, sftp-server, storage, su, system, version, UNLISTED | password, sshkeys |
| Read/Write | activate, appliance, bgp, channel, dump-log, edit, enclosure, health, help, ipmi, manager, note, ping, ping6, port, poweroff, reboot, route, scp, serial, sftp-server, storage, system, version, UNLISTED | password, su, sshkeys |
| Read Only |
appliance, bgp, channel, dump-log, health, help, ipmi sel (info, list, elist, get, time), ipmi chassis (status, power (status), ipmi identify, ipmi policy (list), ipmi restart_cause, ipmi poh, ipmi bootparam (get, selftest), ipmi sdr (list, elist, type, get, info, entity, dump), manager, note, ping, ping6, port, route, storage (list, help), system, version |
activate, edit, enclosure (enable, disable), password, poweroff, reboot, scp, serial, sftp-server, sshkeys, su, UNLISTED |
| No Access | N/A | N/A |
Access to each individual device depends on the user or group's default Manager device permissions, default non-Manager device permissions, and site level permissions. For Manager devices, the most permissive default permission determines device access; site level permissions do not apply. For non-Manager devices, the most permissive of all default or site level permissions determines device access.
In the following example scenario, you are a member of a group and have these permissions:
| Devices | Individual Permissions | Group Permissions |
|---|---|---|
| Manager devices | No Access | No Access |
| All other devices | Read | Read |
| Sites | Individual Permissions | Group Permissions |
|---|---|---|
| Boston | Read/Write | Read |
Given the following devices, you have these accesses:
- Slicestor A is associated with the site Boston.
You have Read/Write access to this device, because you have Read/Write permissions for devices in the site Boston.
- Accesser B is not associated with any site.
You have Read access to this device, because you have Read permissions by default for non-Manager devices and your group has equivalent permissions.
- Manager D is associated with the site
Boston.
You do not have access to this device, because neither you nor your group have permissions for Manager devices. Site level permissions do not apply to Manager devices.