ADC

Example of a user scenario

August 20, 2024

Contributed by:

C C S

The following example shows how to create a complete set of user accounts, groups, and command policies and bind each policy to the appropriate groups and users. The company, Example Manufacturing, Inc., has three users who can access the Citrix ADC appliance:

John Doe. The IT manager. John needs to be able to see all parts of the Citrix ADC configuration but does not need to modify anything.

Maria Ramiez. The lead IT administrator. Maria needs to be able to see and modify all parts of the Citrix ADC configuration except for Citrix ADC commands (which local policy dictates must be performed while logged on as nsroot).
Michael Baldrock. The IT administrator in charge of load balancing. Michael needs to be able to see all parts of the Citrix ADC configuration, but needs to modify only the load balancing functions.

The following table shows the breakdown of network information, user account names, group names, and command policies for the sample company.

Field	Value	Note
Citrix ADC host name	ns01.example.net	N/A
User accounts	johnd, mariar, and michaelb	John Doe, IT manager, Maria Ramirez, IT administrator and Michael Baldrock, IT administrator.
Groups	Managers and SysOps	All managers and all IT administrators.
Command Policies	read_all, modify_lb, and modify_all	Allow complete read-only access, Allow modify access to load balancing, and Allow complete modify access.

The following description walks you through the process of creating a complete set of user accounts, groups, and command policies on the Citrix ADC appliance named ns01.example.net.

The description includes procedures for binding the appropriate user accounts and groups to one another, and binding appropriate command policies to the user accounts and groups.

This example illustrates how you can use prioritization to grant precise access and privileges to each user in the IT department.

The example assumes that initial installation and configuration have already been performed on the Citrix ADC.

Configuration steps

Use the procedure described in “Configuring User Accounts” to create user accounts johnd, mariar, and michaelb.
Use the procedure described in “Configuring User Groups” to create user groups Managers and SysOps, and then bind the users mariar and michaelb to the SysOps group and the user johnd to the Managers group.
Use the procedure described in “[Creating Custom Command Policies] to create the following command policies:
- read_all with action Allow and command spec "(^show\s+(?!system)(?!ns ns.conf)(?!ns runningConfig).*)|(^stat.*)"
- modify_lb with action as Allow and the command spec "^set\s+lb\s+.*$"
- modify_all with action as Allow and the command spec "^\S+\s+(?!system).*"
Use the procedure described in “Binding Command Policies to Users and Groups” to bind the read_all command policy to the SysOps group, with priority value 1.
Use the procedure described in “Binding Command Policies to Users and Groups” to bind the modify_lb command policy to user michaelb, with priority value 5.

The configuration you just created results in the following:

John Doe, the IT manager, has read-only access to the entire Citrix ADC configuration, but he cannot make modifications.
Maria Ramirez, the IT lead, has near-complete access to all areas of the Citrix ADC configuration, having to log on only to perform Citrix ADC-level commands.
Michael Baldrock, the IT administrator responsible for load balancing, has read-only access to the Citrix ADC configuration, and can modify the configuration options for load balancing.

The set of command policies that applies to a specific user is a combination of command policies applied directly to the user’s account and command policies applied to the group(s) of which the user is a member.

Each time a user enters a command, the operating system searches the command policies for that user until it finds a policy with an ALLOW or DENY action that matches the command. When it finds a match, the operating system stops its command policy search and allows or denies access to the command.

If the operating system finds no matching command policy, it denies the user access to the command, in accordance with the Citrix ADC appliance’s default deny policy.

Note

When placing a user into multiple groups, take care not to cause unintended user command restrictions or privileges. To avoid these conflicts, when organizing your users in groups, bear in mind the Citrix ADC command policy search procedure and policy ordering rules.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Example of a user scenario

August 20, 2024

Contributed by:

C C S

August 20, 2024

Contributed by:

C C S

Example of a user scenario

Configuration steps

In this article