netauth system capability

Manage internal system capabilities


NetAuth makes use of a capabilities based system for internal access control. The capabilities command can add and remove capabilities from entities and groups. The preferred mechanism for access control should always be to gain capabilities by being in a group that has them, rather than having access applied to entities directly. A description of each capability follows:

GLOBAL_ROOT - Confers all other capabilities implicitly. This power is used to bootstrap the server and should be reserved to super administrators that would otherwise be able to obtain this power.

CREATE_ENTITY - Allow the creation of entities.

DESTROY_ENTITY - Allows the destruction of entities.

MODIFY_ENTITY_META - Allows modification of entity metadata.

MODIFY_ENTITY_KEYS - Allows modification of entity public keys. Entities are able to change their own keys without this capability.

CHANGE_ENTITY_SECRET - Allows modification of entity secrets. Entities are able to change their own secrets without this capability.

LOCK_ENTITY - Allows setting an entity lock. Locked entities cannot successfully authenticate, even with a correct secret.

UNLOCK_ENTITY - Allows unlocking an entity.

CREATE_GROUP - Allows creation of groups.

DESTROY_GROUP - Allows destruction of groups.

MODIFY_GROUP_META - Allows the modification of group level metadata. This should generally be assigned in conjunction with.

MODIFY_GROUP_MEMBERS - Allows the modification of group memberships. This capability is not needed if the requesting entity is a member of a groups designated management group.

netauth system capability <identifier> <ADD|DEL> <capability> [flags]


$ netauth system capability example-group add MODIFY_GROUP_META
Capability Modified

$ netauth system capability --direct demo2 add MODIFY_GROUP_META
You are attempting to add a capability directly to an entity.  This is discouraged!
Capability Modified


      --direct   Provided identifier is an entity (discouraged)
  -h, --help     help for capability

Options inherited from parent commands

      --config string   Use an alternate config file
      --entity string   Specify a non-default entity to make requests as
      --secret string   Specify the request secret on the command line


Auto generated by spf13/cobra on 3-Jun-2022