Overview
The Device Role-Based Access feature provides more security and traceability when users log in to an individual ClevOS device by allowing an administrator to assign permissions to individual login names or groups through the Manager Web Interface.
Previously, system administrators might have had to strategically change the localadmin password to allow users to log in to devices. Changing the localadmin password often could be problematic, and it was difficult to tell which user made what changes to the system. Now, system administrators can create local accounts or leverage LDAP accounts and assign one of the following defined sets of permissions to users or groups:
- All
nutcapabilities includingsu - All
nutcapabilities excludingsu - Read-only
nutcapabilities - No access
These permissions are configurable through the Manager Web Interface and Manager REST API. Once
configured, the Manager device propagates the permission configurations to each device for
nut to enforce.
Users can log in to a device using local account or LDAP credentials. For systems using LDAP credentials, the LDAP server must be routable to the devices that users will log in to. Only users and groups with device level permissions set in the Manager can log in to devices.