user role import
Import a role description or definition from a file that defines the list of commands a custom role is able to perform. See Appliance Users and Roles for more information.
NOTE The commands that can be recruited for this operation include all those available to the appliance admin user, or roles subordinate to admin.(*)
The appliance audit user is not a subordinate role under admin, and those commands cannot be included in a custom role definition file.
(* Availability of commands also depends on whether or not a command exists in the particular appliance or the cryptographic module within the appliance. Thus an older software or firmware version might not include commands that were introduced in later versions. Similarly, some commands might be present only if specific optional secure packages are installed. In either case the attempt to import a role definition file with unavailable commands would be rejected. Rejection can also occur if commands in a role definition file are misspelled or do not have exact lettercase. The rejection message will name any rejected commands to help you troubleshoot.)
A role definition file is a UNIX-format file containing a list of LunaSH commands that are allowed for the role, for example:
exit
help
scp
hsm init
hsm login
hsm logout
hsm show
my file list
partition create
All lines must end with a UNIX-style linefeed (lf) character. If you create your file in Windows, be sure to convert to the UNIX style before transferring it to a Luna Network HSM 7 appliance.
When the definition is applied to a named role using the command user role add, that role will have access only to commands that are named in the file.
NOTE The system does not pre-detect the purpose of the file, so it is up to you to name your role definition files usefully, and to recognize them when you import them.
LunaSH role names can be 1-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
No spaces are allowed. Creating a role name that begins with a number is not recommended. As with any secure system, no two roles can have the same name.
Syntax
user role import -file <filename> -role <rolename>
| Argument(s) | Shortcut | Description |
|---|---|---|
| -file <filename> | -f | Name of the file being imported. |
| -role <rolename> | -r |
The name of the administrative role for which a description file is being imported. |
Example
lunash:>user role import -file rolefile1 -role indigo "rolefile1" was successfully imported. Command Result : 0 (Success)
