diff --git a/articles/operator-nexus/howto-baremetal-run-data-extract.md b/articles/operator-nexus/howto-baremetal-run-data-extract.md index 6df6ebf0daca..fa9379f093c1 100644 --- a/articles/operator-nexus/howto-baremetal-run-data-extract.md +++ b/articles/operator-nexus/howto-baremetal-run-data-extract.md @@ -711,3 +711,40 @@ The command provides a link (if using cluster manager storage) or another comman > [!NOTE] > Storage Account could be locked resulting in `403 This request is not authorized to perform this operation.` due to networking or firewall restrictions. Refer to the [cluster manager storage](#deprecated-method-verify-access-to-the-cluster-manager-storage-account) or the [user managed storage](#send-command-output-to-a-user-specified-storage-account) sections for procedures to verify access. + +## Executing a run-data-extracts-restricted Command + +The `run-data-extracts-restricted` command is a duplicate of the standard run-data-extracts command, created to support fine-grained access control via RBAC (Role-Based Access Control). It allows customers to run sensitive data extraction operations on BareMetalMachines with elevated privileges. + +The `run-data-extracts-restricted` is implemented as a new and separate API action. The action is to be introduced in the `v20250701preview` and `v20250901` GA API, and is designed to mirror the behavior of the original command but with restricted access to specific sub-commands.The following list contains the allowed sub commands for`run-data-extracts-restricted`: + +- `cluster-cve-report` +- `mde-agent-information` + +## Prerequisites +* minimum supported API of v20250701preview` or `v20250901` and above +* Storage Blob Container has been configured +* The target bare metal machine is on and ready. +* The syntax for these commands is based on the + version of the az networkcloud CLI. +* Get the Cluster Managed Resource group name (cluster_MRG) that you created for Cluster resource. + +Command execution can be performed using `az networkcloud baremetalmachine run-data-extracts-restricted` and it accepts arguments similarly to the `run-data-extract`. + +**Example** + +```azurecli-interactive +az networkcloud baremetalmachine run-data-extracts-restricted --name "" \ + --resource-group "" \ + --subscription "" \ + --commands '[{"arguments":["--min-severity=8"],"command":"cluster-cve-report"}]' \ + --limit-time-seconds "600" + --output-directory ~/path/to/my/output/directory +``` + + +[{"arguments":["--min-severity=8"],"command":"cluster-cve-report"}]' --output-directory ~/tmp + + +### Storage and Output +Output is stored in a blob container specified by the `commandOutputSettings`. By default the `run-data-extract` command uses the same commandOutputSettings however for security purposes `run-data-extracts-restricted` stores outputs in a seperate blob container. For how to specify the commandOutputSettings override for runcommand [please follow this guide](). +This will require a separate blob container also be configured prior to usage. To setup the storage blob container (please look here)[] \ No newline at end of file