How to Grant your HelpDesk Limited Access to your NetScaler CLI Shell
If you ever needed to troubleshoot login issues with the Netscaler, you know that you have to drop down to the Command Line Interface (shell) in order to trace the aaad.debug log.
But what if you need to give your helpdesk access to the same logs so that they can troubleshoot login issues? Well, that requires that you give them shell access.
But, as per Citrix, “If a user goes to the shell, that user is already a root user”, and we sure wouldnt want our helpdesk techs having root access to our Netscalers. So how do we give them enough access to troubleshoot but not have root, we can create a “Command Policy”
A “Command Policy” is what tells the Netscaler what a user can and cant do, for example, the command policy for “superuser” is “ALLOW .*” (that’s a period and an asterisk which is Regular Expression for “Any Character”), that means the user with the command policy of superuser can execute any command.
Now to create the command policy for the Helpdesk
- Log in to our NetScaler using a superuser account
- Under the System Folder, select “Command Policies”
- Click the “Add” button and name your new policy “HelpDesk”, make sure that the “Action” is set to “Allow” and enter the following expression under “Command Spec”
1^shell (cat (/tmp/|/var/log/)[a-zA-Z]*\.(log|debug)|ls (/tmp|/var/log))$
Now we have to assign our new policy to our Helpdesk group. Since my NetScaler is “LDAP enabled” for login in, all I have to do is create a group, assign my new policy, and done. (If your Netscaler is not LDAP enabled, then you will have to go and create users manually and assigning them to the group we are going to create bellow)
- Under the same “System” folder, Select “Groups”
- Click the “Add” button and name your new group “NetScaler-HelpDesk” (It has to match exactly what your helpdesk group is called in LDAP, in my case I have a group called “NetScaler-HelpDesk”)
- Under the “command policies” window, pick your newly created “HelpDesk” Policy, then hit the “Create” and then the “Close” button
- Now Fire up putty and try to login with one of your HelpDesk user ID’s, you will see that you can only trace “log” or “debug” files and only in the “/var/log” and “/tmp” directories
Thats all there is to it. Now your Helpdesk can troubleshoot NetScaler log in issues while you concentrate on fixing other things