CSCwh01099 - Command Runner RBAC control in DNA Center

Isaac Bode · ‎01-30-2024

There really needs to be an option in RBAC to enable or disable command runner. It shouldn't be tied to viewing inventory.

The issue with how it is now, you can't disable the "show run" command in command runner. But, you can disable access to the device configuration in the RBAC controls. This gives a user a way to view the running config when they should not have access to it.

olivier vigeant · ‎05-30-2024

Hi

I agree with you. There are 2 Command Runner module (Inventory and Tools menu), and I also need to be able to deny access in RBAC (or undeploy this package which is installed by default in 2.3.5.x).

thomas.minarro.fr · ‎06-18-2024

This command runner line in RBAC is a must for security reasons.
I would even say, what is really needed is an advanced RBAC that would be as granular as possible.

thomas.minarro.fr · ‎06-18-2024

I was able to block the command runner with a proxy denying "^/api/v1/network-device-poller/cli/read-request"
Hope it helps you work around your problem too.

olivier vigeant · ‎06-18-2024

Hi @thomas.minarro.fr

the proxy solution is working, but was not planed in our design.

We raised a user request regarding RBAC enhancement and the ability to use a deny value for command runner. We must now wait for development.