The following example shows how to create a complete set of user accounts, groups, and command policies and bind each policy to the appropriate groups and users. The company, Example Manufacturing, Inc., has three users who can access the NetScaler appliance:
John Doe. The IT manager. John needs to be able to see all parts of the NetScaler configuration but does not need to modify anything.
The following table shows the breakdown of network information, user account names, group names, and command policies for the sample company.
|NetScaler host name||ns01.example.net||N/A|
|User accounts||johnd, mariar, and michaelb||John Doe, IT manager, Maria Ramirez, IT administrator and Michael Baldrock, IT administrator.|
|Groups||Managers and SysOps||All managers and all IT administrators.|
|Command Policies||read_all, modify_lb, and modify_all||Allow complete read-only access, Allow modify access to load balancing, and Allow complete modify access.|
The following description walks you through the process of creating a complete set of user accounts, groups, and command policies on the NetScaler appliance named ns01.example.net.
The description includes procedures for binding the appropriate user accounts and groups to one another, and binding appropriate command policies to the user accounts and groups.
This example illustrates how you can use prioritization to grant precise access and privileges to each user in the IT department.
The example assumes that initial installation and configuration have already been performed on the NetScaler.
The configuration you just created results in the following:
The set of command policies that applies to a specific user is a combination of command policies applied directly to the user's account and command policies applied to the group(s) of which the user is a member.
Each time a user enters a command, the operating system searches the command policies for that user until it finds a policy with an ALLOW or DENY action that matches the command. When it finds a match, the operating system stops its command policy search and allows or denies access to the command.
If the operating system finds no matching command policy, it denies the user access to the command, in accordance with the NetScaler appliance's default deny policy.