because you don't have a 'nouser' line in the users file other user mapping may be happening here.

can you also send the users.local and exports files?

and how are you launching nsh here to test this ? 

Yes, that is the case here

Also seems like there are not using NSH here, but NSH from a client

The best way to secure should be use of NSH proxy.

Yes

___

Cheers…

Soundappan Shanmugam

HP:  +91 9711156098

Because u r not using NSH proxy and the fact that the nouser flag is swicthed off,

the mapping which is happening is letting to be mapped as rw as specified in exports file

Switch on the nouser flag.

or

Change exports to ro.

and try again

For security, I will strongly recommed to use NSH proxy so that all NSH client go through authentication, and wll use a role whicih can  be controlled well

U r running from NSH Client and not doing an NSH here ?

on the client NSHm say id

and see what user is running NSH

Worst case to implement this will be to mae an entry in users.local for

<local user id>   ro,map=Administrator,commands=CM:agentinfo:awk:egrep:grep:head:hostname:ls:nsh:tail:uname:update:view:nexec:ifconfig:iostat:ipconfig:nbtstat:netstat:ps

Try this

Best is to use NSH proxy and give only the NSH Only role, which shld also be default nsh role for this user

How r u running this as NSH here from the GUI ?

When u execute command

id

what is the output ?

I think there is some confusion about how nsh works.

if you do not have the nsh proxy configured:

-> if you run nsh from the command line, or the start menu, when you try to contact a remote host, nsh will send across your OS username to the target.  if there is a mapping entry for * or for your actual user name like 'BILL rw,map=root' then you will get access to the target.  if there is no mapping entry then you will not get any access.

-> if you run nsh from 'nsh here' you will send across your BSA role:user combination, and the agent will look for a mapping entry for role:user in the rsc files.  if one is found, you get access, if none is found you don't get access.

-> when you run 'nsh here' the role that is used is the default NSH Role.

if you have the nsh proxy setup and you have your nsh client configured to use the nsh proxy, you will need to use blcred to get credentials, or check the 'cache session credentials' box on the gui login.  then you will send across your BSA role:user to the target.