When a user attempts to access an object (cluster, server, server pool, VLAN, etc.) on FortiADC, the system determines whether the user has permission to access the object as follows:
Permission to access an object is granted in one of two ways:
Note - The permit_object and permit_objlist commands: - can be used only on existing user logins. - must be entered one at a time, on a line by themselves, with no other user context commands on the command line So, for example, you cannot modify a user’s duration parameter and in the same command line include a permit_object or permit_objlist command. |
Using permit_object to Assign User Permissions on a Single Object
The user context permit_object command has the following syntax:
permit_object perm type object_name
The command assigns the given permission on the given object in the user context. The command arguments are as follows:
|
For example, the following command executed in the global context assigns read and write permission to the server sv00 for the existing login user1:
eqcli > user user1 permit_object read,write server sv00 |
Using permit_objlist to Assign User Permissions on a Group of Objects
The user context permit_objlist command has the following syntax for assigning read, write, and delete permissions:
permit_objlist perm type objlist_name |
This form of the permit_objlist command assigns the given permission (perm) on all objects of the specified type that appear in the object list specified by objlist_name. The command arguments for assigning permission to objects in an object list are as follows:
For example, the following command executed in the global context assigns read and write permission to all of the servers listed in the object list objlist1 for the login user1:
eqcli > user user1 permit_objlist read,write server objlist1 |
For more information on object lists, please see Object List Commands.
Using permit_objlist to Allow a User to Create Objects
The user context permit_objlist command has the following syntax for assigning the create permission to a user:
permit_objlist create type {default | objlist_name} |
For example, the following command executed in the global context allows user1 to create servers that other non-admin users cannot access:
eqcli > user user1 permit_objlist create server default |
The following command allows user1 to create servers and specify the objlist1 object list when creating a server, thus adding the new server to objlist1:
eqcli > user user1 permit_objlist create server objlist1 |