Adding a Role (CLI)

A role is a collection of authorizations that can be assigned to a user. Use this procedure to define a new role. Also see the alternative method at the end of this task, which is ideal for cloning a local role as a directory role or for cloning a system-delivered role to a local or directory role.

Note:

System roles are intended as sample roles delivered with the product. To adapt a system role for site-specific use, clone it and modify the cloned role rather than creating changes directly to the system role.

1. Go to configuration roles.
2. Enter either local or directory, followed by the name of the role that you want to create. For local and directory roles, the first character of the name cannot be $. This character is reserved for system-delivered roles. Role types:

   • local - Role applies to this appliance only.

   • directory - Role applies to one of two directory group types and allows logging in as an administrator:

     • LDAP - Role applies to same-named, existing LDAP directory group. For name, enter the exact same name for the LDAP directory group as configured on the LDAP server. Members of the same-named UNIX group are assigned this role and can log in as an administrator.

     • Active Directory - Role applies to same-named, existing Active Directory (AD) group. For name, enter the exact same name in the format name@domain as configured for the AD group members on the AD server. Valid members of the same-named AD group are assigned this role and can log in as an administrator.

   • system roles - System roles are delivered with the appliance and are not created from the CLI. System roles are immutable and can only be assigned or cloned.
3. Set the description of the role.
4. Enter commit to add the role.
5. Select the new role.
6. Enter authorizations.
7. Add authorizations for this role.

   See "Scopes, Filters, and Authorizations Available for Users and Roles" in User Authorizations.

   Iterate the following steps until you have added all of the authorizations that you want this role to have:

   1. Enter create.
   2. Enter set scope= followed by the scope name. Use tab-completion to see the list.
   3. Enter show to see available filters, if any, and authorizations.
   4. If a filter is available, set the filter value.

      Use tab-completion to see the list of possible filter values.

   5. Set to true all authorizations that you want to include in this role.
   6. Enter commit.
8. Enter done and then enter done again.

Alternative Method

To create a new role with the same authorizations as an existing role, use the clone command. In configuration roles, enter clone existing-role-name new-role-name new-role-type . For new-role-type, enter local or directory. The new-role type can be different from the existing type. For example, a local role can be cloned to a directory role. A system role can also be cloned to a local or directory role. If no role type is specified, the new type is the same as the cloned type. A cloned role is editable; the original system role is not.

Related Topics

• Understanding Users and Roles

• User Authorizations

• Managing User Properties