chef12 - create a user with a precise set of privileges

Hi I have chef12 server. I need to create couple of user accounts with the precise sets of privileges

  • Account1 - ability to read,update,remove data_bags. Nothing else.
  • Account2 - ability to read,update, nodes. Nothing else.

I know there a groups and polices in chef12 to accomplish such a tasks, but it seems quite complicated for me, if anyone could help me with a concrete examples?

Thanks

You can use knife acl for that: https://github.com/chef/knife-acl

Example for data bags:
knife group add data-writers
knife acl add group data-writers containers data read,update,delete
knife acl bulk add group data-writers data “.*” read,update,delete

Next you need to make sure that your user is part of data-writers group only.
You should be able to figure out the rest from readme at github repo

Hi Ilya! Thanks , already did the way you told …