Hi community!

Recently I tried to grant cli privileges to created user so he/she can access command and gui. I try to ssh with that credentials and it fails. It says access denied. When i execute grdapi list_user_roles it shows that cli role is granted to the user. User was created via GUI. 

Do you have idea why? And what might solve it?

Thanks a lot,

Piotr

Hi Piotr Cieslak,

Adding the cli role to a user simply allows them to run GuardAPI commands once they login to the cli as one of the built-in cli users.

You need to assign them one of the guardcli1...9 accounts. Then they'll login to the cli using that user name (guardcli1 for example) and set themself to use the cli by running the set guiuser command to associate it with their regular user account. 

You can reference the CLI Login section of the product documentation for more details: https://www.ibm.com/docs/en/gdp/12.x?topic=commands-using-cli

set guiuser is explained here: https://www.ibm.com/docs/en/gdp/12.x?topic=commands-user-account-password-authentication-cli#user_account_password_and_authentication_cli_commands__SetGuiuserAuthentication

Hi community!

Recently I tried to grant cli privileges to created user so he/she can access command and gui. I try to ssh with that credentials and it fails. It says access denied. When i execute grdapi list_user_roles it shows that cli role is granted to the user. User was created via GUI. 

Do you have idea why? And what might solve it?

Thanks a lot,

Piotr

Hi @Wendy Zemba

thank you for very fast answer. 

Just to confirm that I understood it properly. So I have to log in as once of guardcli1-9 account and then set guiuser as the one with cli privileges, and then I can run the commands? Have to clarify that because I am told that I can do it and I can ssh via name of gui user, where I think I cannot.

Piotr

Hi Piotr Cieslak,

Adding the cli role to a user simply allows them to run GuardAPI commands once they login to the cli as one of the built-in cli users.

You need to assign them one of the guardcli1...9 accounts. Then they'll login to the cli using that user name (guardcli1 for example) and set themself to use the cli by running the set guiuser command to associate it with their regular user account. 

You can reference the CLI Login section of the product documentation for more details: https://www.ibm.com/docs/en/gdp/12.x?topic=commands-using-cli

set guiuser is explained here: https://www.ibm.com/docs/en/gdp/12.x?topic=commands-user-account-password-authentication-cli#user_account_password_and_authentication_cli_commands__SetGuiuserAuthentication

Hi community!

Recently I tried to grant cli privileges to created user so he/she can access command and gui. I try to ssh with that credentials and it fails. It says access denied. When i execute grdapi list_user_roles it shows that cli role is granted to the user. User was created via GUI. 

Do you have idea why? And what might solve it?

Thanks a lot,

Piotr

Hi @Piotr Cieslak,

Correct, you can only login to the guardium command line interface with either the cli account or one of the guardcli1-9 accounts.

You cannot provision users to the cli directly or by way of any roles because it is a hardened appliance, meaning the operating system has limited availability. To accommodate customer's requests for audit trails at the cli level and to avoid account sharing bad-practices, IBM added the guardcli1-9 accounts.

Additionally, you should only need to add the cli role to the account that they'll set as guiuser if they also need to run guardapi commands. Otherwise they can run any "regular" cli command that IBM has made available to customers.

Hi @Wendy Zemba

thank you for very fast answer. 

Just to confirm that I understood it properly. So I have to log in as once of guardcli1-9 account and then set guiuser as the one with cli privileges, and then I can run the commands? Have to clarify that because I am told that I can do it and I can ssh via name of gui user, where I think I cannot.

Piotr

Hi Piotr Cieslak,

Adding the cli role to a user simply allows them to run GuardAPI commands once they login to the cli as one of the built-in cli users.

You need to assign them one of the guardcli1...9 accounts. Then they'll login to the cli using that user name (guardcli1 for example) and set themself to use the cli by running the set guiuser command to associate it with their regular user account. 

You can reference the CLI Login section of the product documentation for more details: https://www.ibm.com/docs/en/gdp/12.x?topic=commands-using-cli

set guiuser is explained here: https://www.ibm.com/docs/en/gdp/12.x?topic=commands-user-account-password-authentication-cli#user_account_password_and_authentication_cli_commands__SetGuiuserAuthentication

Hi community!

Recently I tried to grant cli privileges to created user so he/she can access command and gui. I try to ssh with that credentials and it fails. It says access denied. When i execute grdapi list_user_roles it shows that cli role is granted to the user. User was created via GUI. 

Do you have idea why? And what might solve it?

Thanks a lot,

Piotr

Hi @Piotr Cieslak,

Correct, you can only login to the guardium command line interface with either the cli account or one of the guardcli1-9 accounts.

You cannot provision users to the cli directly or by way of any roles because it is a hardened appliance, meaning the operating system has limited availability. To accommodate customer's requests for audit trails at the cli level and to avoid account sharing bad-practices, IBM added the guardcli1-9 accounts.

Additionally, you should only need to add the cli role to the account that they'll set as guiuser if they also need to run guardapi commands. Otherwise they can run any "regular" cli command that IBM has made available to customers.

Hi @Wendy Zemba

thank you for very fast answer. 

Just to confirm that I understood it properly. So I have to log in as once of guardcli1-9 account and then set guiuser as the one with cli privileges, and then I can run the commands? Have to clarify that because I am told that I can do it and I can ssh via name of gui user, where I think I cannot.

Piotr

Hi Piotr Cieslak,

Adding the cli role to a user simply allows them to run GuardAPI commands once they login to the cli as one of the built-in cli users.

You need to assign them one of the guardcli1...9 accounts. Then they'll login to the cli using that user name (guardcli1 for example) and set themself to use the cli by running the set guiuser command to associate it with their regular user account. 

You can reference the CLI Login section of the product documentation for more details: https://www.ibm.com/docs/en/gdp/12.x?topic=commands-using-cli

set guiuser is explained here: https://www.ibm.com/docs/en/gdp/12.x?topic=commands-user-account-password-authentication-cli#user_account_password_and_authentication_cli_commands__SetGuiuserAuthentication

Hi community!

Recently I tried to grant cli privileges to created user so he/she can access command and gui. I try to ssh with that credentials and it fails. It says access denied. When i execute grdapi list_user_roles it shows that cli role is granted to the user. User was created via GUI. 

Do you have idea why? And what might solve it?

Thanks a lot,

Piotr