Managing User Rights

Managing User Rights

The initiator integrates into the macOS authorization database. This allows administrators to restrict certain iSCSI operations by using the standard security utility to modify the macOS authorization database. For details about the security tool, consult the man page for the security(1) tool. The security tool allows administrators to assign certain rights to particular roles. The rights are defined by various applications, or the system itself. The initiator defines rights as outlined in the table below. Users that are authorized for the first right can login and logout of targets. Users that are authorized for the second right can modify the initiator configuration. This includes the addition and removal of targets and discovery portals, and changes to initiator, discovery and target settings.

Right Name	Description
com.github.iscsi-osx.iSCSInitiator.login-logout	For logging into and out of iSCSI targets
com.github.iscsi-osx.iSCSIInitiator.modify-config	For modifying initiator, discovery and target settings and adding and removing targets.

The default configuration is non-restrictive and allows all users to login, logout and modify the initiator configuration. This may be modified using the security tool as follows. For example, the following command can be used to restrict modification of the initiator configuration to administrators:

$ security authorizationdb write com.github.iscsi-osx.iSCSIInitiator.modify-config authenticate-admin

This will cause an authorization dialog to appear if a user then tries to modify a setting (for example, by using the iscsictl utility with appropriate arguments). Conversely, the right can be relaxed to all users by using the following command:

$ security authorizationdb write com.github.iscsi-osx.iSCSIInitiator.modify-config allow

Here we have used the authenticate-admin and allow rules as two examples. Consult OS X documentation for additional options.