Granting and revoking user rights¶
Once a user is added the user needs to be granted access to run commands. The user’s command menu will only display those commands to which access have been granted.
To grant access to a command use the ‘user grant’ command as follows:
user grant <username> <command> [options]
Only one command can be granted at a time, however these can be complex. The more detailed the command, the more fine-grained the privilege becomes. This is best explained by example.
Running the following command:
user grant peter app
Will allow the user peter to execute any command within the ‘app’ series of commands. However it could be restricted further by instead running a command like:
user grant peter app list
With this version peter will see the app command on his menu, but its help will only display ‘list’ as a sub-command - peter can thus see the list of apps but cannot perform more potentially risky tasks such as installing or restarting applications.
This can be expanded to other subsets by simply running additional grants:
user grant peter app start
Would now allow peter to both see the list of applications or restart applications that failed, however he will not be able to do other app related tasks such as installations. The grant command effectively verifies that the start of a command by a user matches one of the privileges granted to that user - so peter will be able to add options to any command he is granted access to.
In order to restrict commands - be sure to determine whether any options should be allowed and if not, only grant access to the specific parameters you wish peter to be able to execute. For example if peter is your database administrator for example you may wish to use:
user grant peter app start mongodb
Instead of giving access to all app start commands.
Should you wish to revoke a command privilege from a user you can do this using the following command:
user revoke <username> <full command>
The command being revoked must match exactly one of the commands previously granted to a user. To review the current privileges of a user use:
user list <username>
Which will display the user’s entire list of granted commands in full. You can also just run
user list
Without an option to list all users created on your system and their privileges.