Gateway

Configuring Custom Command Policies for Delegated Administrators

When configuring a custom command policy, you provide a policy name and then configure the policy components to create the command specification. With the command specification, you can limit the commands administrators are allowed to use. For example, you want to deny administrators the ability to use the remove command. When configuring the policy, set the action to deny and then configure the parameters.

You can configure a simple or advanced command policy. If you configure a simple policy, you configure a component on the appliance, such as Citrix Gateway and authentication. If you configure an advanced policy, you select the component, called an entity group and then select the commands administrators are allowed to perform in the group.

To create a simple custom command policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand System > User Administration and then click Command Policies.

  2. In the details pane, click Add.

  3. In Policy Name, type a name for the policy.

  4. In Action, select Allow or Deny.

  5. Under Command Spec, click Add.

  6. In the Add Command dialog box, on the Simple tab, in Operation, select the action that delegated administrators can perform.

  7. Under Entity Group, select one or more groups.

    You can press the CTRL key to select multiple groups.

  8. Click Create and then click Close.

To create an advanced custom command policy

  1. In the configuration utility, in the navigation pane, on the Configuration tab, expand System > User Administration and then click Command Policies.

  2. In the details pane, click Add.

  3. In Policy Name, type a name for the policy.

  4. In Action, select Allow or Deny.

  5. Under Command Spec, click Add.

  6. In the Add Command dialog box, click the Advanced tab.

  7. In Entity Group select the group to which the command belongs, such a authentication or high availability.

  8. Under Entity, select the policy.

    You can press the CTRL key to select multiple items in the list.

  9. In Operation, select the command, click Create and then click Close.

    You can press the CTRL key to select multiple items in the list.

  10. Click Create and then click Close.

  11. In the Create Command Policy dialog box, click Create and then click Close.

When you click Create, the expression appears under Command Spec in the Create Command Policy dialog box.

After creating the custom command policy, you can bind it to a user or a group.

Note: You can only bind custom command policies to users or groups you create. You cannot bind a custom command policy to the user nsroot.

To bind a custom command policy to a user or group

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand System > User Administration and then click System Users or click Systems Groups.
  2. In the details pane, select a user or group from the list and then click Open.
  3. Under Command Policies, select the policy and then click OK.
Configuring Custom Command Policies for Delegated Administrators