ACL on iControl interfaces.

iControl requires read/write user privileges as a majority of the methods require both types of actions. I believe what you are asking for method and parameter level authorization. For example, user "A" can modify pool "pool1" but not pool "pool2". Currently, iControl does not support this directly. There are approximately 1500 methods exposed in iControl and it has been determined that building a complex authorization scheme around parameter level validation is usually more easily developed in a custom build "shim" layer on top of iControl. For instance, one customer developed a web portal where the end users logged into were able to control the sections of the configuration that they owned.

 

 

We are always looking at how we can enhance security and welcome any specific requests for features.

If an icontrol querry is just reading configuration from 3dns server, why do the user id need write access enabled at that time?

In 4.x, only users with iControl privileges are allowed iControl access. This access check happens when the client request comes through the CORBA Portal, and the access check is based on the user's privileges, not on what method is being called. So if the user has iControl privileges, the user will be allowed iControl access, regardless of whether he/she is querying or modifying.

 

 

In 9.x, our authorization access check has been reworked to use a combination of the user's role and what method is being invoked.

 

 

Regards,

 

Loc