Once a user is added
the user needs to be granted access to run commands. The user's command menu
will only display those commands to which access have been granted.
To grant access to a
command use the 'user grant' command as follows:
user grant
<username> <command> [options]
Only one command can
be granted at a time, however these can be complex. The more detailed the
command, the more fine-grained the privilege becomes. This is best explained
by example.
Running the
following command:
user grant peter
app
Will allow the user
peter to execute any command within the 'app' series of commands. However it
could be restricted further by instead running a command like:
user grant peter
app list
With this version
peter will see the
app command on
his menu, but its help will only display 'list' as a sub-command - peter can
thus see the list of apps but cannot perform more potentially risky tasks such
as installing or restarting applications.
This can be expanded
to other subsets by simply running additional grants:
user grant peter
app start
Would now allow
peter to both see the list of applications or restart applications that failed,
however he will not be able to do other app related tasks such as
installations. The
grant command
effectively verifies that the start of a command by a user matches one of the
privileges granted to that user - so peter will be able to add options to any
command he is granted access to.
In order to restrict
commands - be sure to determine whether any options should be allowed and if
not, only grant access to the specific parameters you wish peter to be able to
execute. For example if peter is your database administrator for example you
may wish to use:
user grant peter
app start mongodb
Instead of giving
access to all
app start
commands.
Should you wish to
revoke a command privilege from a user you can do this using the following
command:
user revoke
<username> <full command>
The command being
revoked must match exactly one of the commands previously granted to a user. To
review the current privileges of a user use:
user list
<username>
Which will display
the user's entire list of granted commands in full. You can also just run
user list
Without an option to
list all users created on your system and their privileges.