ADC

Example of a user scenario

The following example shows how to create a complete set of user accounts, groups, and command policies and bind each policy to the appropriate groups and users. The company, Example Manufacturing, Inc., has three users who can access the Citrix ADC appliance:

  • John Doe. The IT manager. John needs to be able to see all parts of the Citrix ADC configuration but does not need to modify anything.

    Maria Ramiez. The lead IT administrator. Maria needs to be able to see and modify all parts of the Citrix ADC configuration except for Citrix ADC commands (which local policy dictates must be performed while logged on as nsroot).

  • Michael Baldrock. The IT administrator in charge of load balancing. Michael needs to be able to see all parts of the Citrix ADC configuration, but needs to modify only the load balancing functions.

The following table shows the breakdown of network information, user account names, group names, and command policies for the sample company.

Field Value Note
Citrix ADC host name ns01.example.net N/A
User accounts johnd, mariar, and michaelb John Doe, IT manager, Maria Ramirez, IT administrator and Michael Baldrock, IT administrator.
Groups Managers and SysOps All managers and all IT administrators.
Command Policies read_all, modify_lb, and modify_all Allow complete read-only access, Allow modify access to load balancing, and Allow complete modify access.

The following description walks you through the process of creating a complete set of user accounts, groups, and command policies on the Citrix ADC appliance named ns01.example.net.

The description includes procedures for binding the appropriate user accounts and groups to one another, and binding appropriate command policies to the user accounts and groups.

This example illustrates how you can use prioritization to grant precise access and privileges to each user in the IT department.

The example assumes that initial installation and configuration have already been performed on the Citrix ADC.

Configuration steps

  1. Use the procedure described in “Configuring User Accounts” to create user accounts johnd, mariar, and michaelb.
  2. Use the procedure described in “Configuring User Groups” to create user groups Managers and SysOps, and then bind the users mariar and michaelb to the SysOps group and the user johnd to the Managers group.
  3. Use the procedure described in “[Creating Custom Command Policies] to create the following command policies:

    • read_all with action Allow and command spec "(^show\s+(?!system)(?!ns ns.conf)(?!ns runningConfig).*)|(^stat.*)"
    • modify_lb with action as Allow and the command spec "^set\s+lb\s+.*$"
    • modify_all with action as Allow and the command spec "^\S+\s+(?!system).*"
  4. Use the procedure described in “Binding Command Policies to Users and Groups” to bind the read_all command policy to the SysOps group, with priority value 1.
  5. Use the procedure described in “Binding Command Policies to Users and Groups” to bind the modify_lb command policy to user michaelb, with priority value 5.

The configuration you just created results in the following:

  • John Doe, the IT manager, has read-only access to the entire Citrix ADC configuration, but he cannot make modifications.
  • Maria Ramirez, the IT lead, has near-complete access to all areas of the Citrix ADC configuration, having to log on only to perform Citrix ADC-level commands.
  • Michael Baldrock, the IT administrator responsible for load balancing, has read-only access to the Citrix ADC configuration, and can modify the configuration options for load balancing.

The set of command policies that applies to a specific user is a combination of command policies applied directly to the user’s account and command policies applied to the group(s) of which the user is a member.

Each time a user enters a command, the operating system searches the command policies for that user until it finds a policy with an ALLOW or DENY action that matches the command. When it finds a match, the operating system stops its command policy search and allows or denies access to the command.

If the operating system finds no matching command policy, it denies the user access to the command, in accordance with the Citrix ADC appliance’s default deny policy.

Note

When placing a user into multiple groups, take care not to cause unintended user command restrictions or privileges. To avoid these conflicts, when organizing your users in groups, bear in mind the Citrix ADC command policy search procedure and policy ordering rules.

Example of a user scenario