Restrict user permission to Citrix ADC management interfaces

The allowed management interface parameter enables a system administrator to restrict user access to specific Citrix ADC management interfaces such as CLI or API. The parameter defines the list of permitted management interfaces for a user. For example, if the management interface for a user or a group is set to API, all users in the group can access Citrix ADC through API and not through CLI. However, GUI is part of the API interface and users with API permission can also access the GUI interface.

Note

By default, users and groups have access to all interfaces (CLI, API and GUI).

You can configure the parameter either at the user level or at the user group level. When you configure at the group level, the configuration is applied across all user accounts in the group. If a user is bound to multiple groups, the appliance allows access to an aggregated set of management interfaces. You can provide specific settings for a user of a group by setting this parameter at user level, in this case – user level setting is given preference over group for that particular user. In certain scenarios, when the customer is using an external authentication server for managing user accounts, the server details are configured on the appliance. In this case, the administrator can create a user group in the Citrix ADC appliance and add all users (grouped in the external server) to the group. For example, all users managed in the external server are added to the API_users group and the admin can configure the group locally on the appliance.

Note

The Citrix ADC appliance allows only network administrators to configure the parameter and does not allow any system user to change the parameter setting.

Configure allowed management interface parameter

To allow user access to a specific management interface, you can set the allowed management interface parameter. At the command prompt, type:

set system group <groupName> [-allowedManagementInterface ( CLI | API )]

Example:

set system group network_usergroup –allowedManagementInterface CLI

Restrict user permission to Citrix ADC management interfaces