Q: Can we modify the admin role?
A: No!
cluster1::> security login role show -role admin
Role Command/ Access
Vserver Name Directory Level
---------- ------------- --------- -------
cluster1 admin DEFAULT all
cluster1::> security login role modify -role admin -cmddirname DEFAULT -access none
Error: command failed: Cannot modify pre-defined roles.
Q: Can we modify the role of the admin user?
A: Yes, mostly, except the service-processor (but you could delete the service-processor Application from admin.)
cluster1::> security login show -user-or-group-name admin
Vserver: cluster1
User/Group Authentication Acct
Name Application Method Role Name Locked
---------- ----------- ------------- --------- ------
admin amqp password admin no
admin console password admin no
admin http cert admin -
admin http password admin no
admin ontapi cert admin -
admin ontapi password admin no
admin service-processor
password admin no
admin ssh password admin no
8 entries were displayed.
cluster1::> security login modify -user-or-group-name admin -vserver cluster1 -application * -role readonly
Error: command failed on vserver "cluster1" user-or-group-name "admin" application "console" authentication-method "password": Cannot delete the last console login with the role "admin". Create a new console admin login before deleting this one.
Warning: Do you want to continue running this command? {y|n}: y
Error: command failed on vserver "cluster1" user-or-group-name "admin" application "service-processor" authentication-method "password": Modification of a "service-processor" user's role to a non-admin role is not supported.
Warning: Do you want to continue running this command? {y|n}: y
6 entries were modified.
cluster1::> security login delete -user-or-group-name admin -vserver cluster1 -application service-processor -authentication-method password
Q: Can we lock the admin user?
A: Yes, if there is another user/group with admin privileges.
cluster1::> security login lock -username admin -vserver cluster1
Error: command failed: You cannot lock the account of the last user with the role "admin" that can log into the node CLI using the console.
A: No!
cluster1::> security login role show -role admin
Role Command/ Access
Vserver Name Directory Level
---------- ------------- --------- -------
cluster1 admin DEFAULT all
cluster1::> security login role modify -role admin -cmddirname DEFAULT -access none
Error: command failed: Cannot modify pre-defined roles.
Q: Can we modify the role of the admin user?
A: Yes, mostly, except the service-processor (but you could delete the service-processor Application from admin.)
cluster1::> security login show -user-or-group-name admin
Vserver: cluster1
User/Group Authentication Acct
Name Application Method Role Name Locked
---------- ----------- ------------- --------- ------
admin amqp password admin no
admin console password admin no
admin http cert admin -
admin http password admin no
admin ontapi cert admin -
admin ontapi password admin no
admin service-processor
password admin no
admin ssh password admin no
8 entries were displayed.
cluster1::> security login modify -user-or-group-name admin -vserver cluster1 -application * -role readonly
Error: command failed on vserver "cluster1" user-or-group-name "admin" application "console" authentication-method "password": Cannot delete the last console login with the role "admin". Create a new console admin login before deleting this one.
Warning: Do you want to continue running this command? {y|n}: y
Error: command failed on vserver "cluster1" user-or-group-name "admin" application "service-processor" authentication-method "password": Modification of a "service-processor" user's role to a non-admin role is not supported.
Warning: Do you want to continue running this command? {y|n}: y
6 entries were modified.
cluster1::> security login delete -user-or-group-name admin -vserver cluster1 -application service-processor -authentication-method password
Q: Can we lock the admin user?
A: Yes, if there is another user/group with admin privileges.
cluster1::> security login lock -username admin -vserver cluster1
Error: command failed: You cannot lock the account of the last user with the role "admin" that can log into the node CLI using the console.
Comments
Post a Comment