Editing Authorizations for a Role (CLI)

A role is a collection of authorizations that can be assigned to a user. Use this procedure to add and delete authorizations for a role. This procedure applies to editable roles only. System-delivered roles cannot be modified. To change the authorizations provided by a system role, clone the system role and edit the cloned role.

Note:

System roles are not editable; to customize, clone the system role into a local or directory role and edit that clone.

1. Go to configuration roles.
2. Enter select followed by the role name.
3. Enter authorizations. If the selected role is a system role, authorizations are read-only and cannot be changed.
4. Optional: Add authorizations for this role.

   See "Scopes, Filters, and Authorizations Available for Users and Roles" in User Authorizations.

   Iterate the following steps until you have added all of the authorizations that you want this role to have:

   1. Enter create.
   2. Enter set scope= followed by the scope name. Use tab-completion to see the list.
   3. Enter show to see available filters, if any, and authorizations.
   4. If a filter is available, set the filter value.

      Use tab-completion to see the list of possible filter values.

   5. Set to true all authorizations that you want to include in this role.
   6. Enter commit.
5. Optional: Delete authorizations for this role.

   For each authorization that you want to remove for this role, enter destroy and the name of the authorization.

   hostname:configuration roles rolename authorizations> destroy auth-001
   This will destroy "auth-001". Are you sure? (Y/N) y

6. Enter done and then enter done again.

Related Topics

• Understanding Users and Roles

• User Authorizations

• Managing User Properties