access-policy

Parameters

statement

Specifies the policy statement to add. A policy statement takes the following form:

address/domain/resource?[Name=name]&Access=permission [&field=value]

address

An IP address or host alias for a local interface (Ethernet or VLAN) on the appliance. The special value * matches all appliance addresses.

domain

The name of an application domain. This policy applies to only resources in the identified domain.

• The special value * matches all domains.
• A PCRE can match select domains.

resource

The resource type to which this policy applies. The special value * matches all resource types.

Name=name

Optional: Identifies by name an instance of the specified resource type. You can use a PCRE; for example, foo.* to specify all resources that start with foo.

Access=permission

The permission string assigns permissions. The string is cumulative and connected by plus (+) signs. For example, the string a+d+x+r+w represents add, delete, execute, read, and write permissions.

field=value

Optional: The field token must be one of the additional fields that can be added to the string. The corresponding value can be a PCRE.

Guidelines

The access-policy command assigns one or more access policy statements to the user group. If there are more than one statement, the statements are cumulative. If more than one statement applies to the same resource, the most specific statement applies. For example, given the following two statements any member of this user group can read all objects but has complete access privileges to the web management interface:

*/*/*?Access=r
*/*/mgmt/web-mgmt?Access=r+w+a+d+x

It is not possible to remove a specific access policy from the CLI. If you run the no access-policy command, all access policies are removed. To remove a specific access policy from a user group, use the GUI.