Overview

The Device Role-Based Access feature provides more security and traceability when users log in to an individual ClevOS device by allowing an administrator to assign permissions to individual login names or groups through the Manager Web Interface.

Previously, system administrators might have had to strategically change the localadmin password to allow users to log in to devices. Changing the localadmin password often could be problematic, and it was difficult to tell which user made what changes to the system. Now, system administrators can create local accounts or leverage LDAP accounts and assign one of the following defined sets of permissions to users or groups:

  • All nut capabilities including su
  • All nut capabilities excluding su
  • Read-only nut capabilities
  • No access

These permissions are configurable through the Manager Web Interface and Manager REST API. Once configured, the Manager device propagates the permission configurations to each device for nut to enforce.

Users can log in to a device using local account or LDAP credentials. For systems using LDAP credentials, the LDAP server must be routable to the devices that users will log in to. Only users and groups with device level permissions set in the Manager can log in to devices.

Each command a user executes is recorded in audit logs and linked back to their local account or LDAP username. These audit logs are stored in the Management Vault for archival purposes. If a user's access level changes, administrators can leverage the user's locally granted permissions or LDAP credentials to control their access to devices.
Note: If you want to utilize LDAP credentials, you must provide your own server.