Skip to content

Command Templates

Command Templates allow administrators to safely delegate the execution of predefined commands to users who do not have direct SSH access to a device.
They provide a secure, controlled mechanism to run commands without exposing the server shell, preventing command-injection risks and limiting what less-privileged users can execute.

Only super admins or users with the appropriate permission can create, edit, or delete Command Templates.

Overview

A Command Template defines a command structure composed of static text and dynamic variables.
Each variable can include strict validation rules, ensuring that users cannot enter values that could harm the device or allow shell injection.

Once a template is created, any user with the Send Command Template permission can execute that template on one or multiple devices simultaneously.

Creating a Command Template

Create Command Template

Go to:

Command Templates → Create

You will see the following fields:

Name

A descriptive name for the command template.
Users will see this name when selecting a command to execute.

Description (optional)

Additional text describing the purpose of the template.

Enabled

You may disable a template without deleting it.

Defining the Command Structure

A template is composed of command “parts,” which can be:

  • Static text
  • Variables (dynamic values provided by the user during execution)

Example:

ls -l [path_filtered]

Each variable appears inside brackets and must be configured with:

  • A unique name
  • A type
  • Validation rules

Variable Types

Each variable type controls what kind of data the user is allowed to enter.

Available types include:

Any (use with caution)

Accepts any input. Recommended only for trusted users.

Numeric

Allows only numbers.

Alpha

Allows only alphabetic characters (A–Z, a–z).

Alphanumeric

Allows letters and numbers.

Path

Allows safe filesystem characters (slashes, dots, hyphens, underscores).
Prevents command injection.

IPv4

Validates IPv4 addresses.

IPv6

Validates IPv6 addresses.

Hostname

Validates hostnames according to DNS conventions.

Regex

Allows the administrator to define a custom regular expression for validation.

Custom

Lets the administrator define exactly which characters are permitted.
Useful when the allowed set is very strict (e.g., only slashes, dots, and hyphens).

Security Model

Command Templates are designed to ensure that:

  1. Less privileged users can run operational commands without accessing SSH
  2. All user inputs are validated before generating the final command
  3. Administrators decide exactly what can and cannot be submitted
  4. Command injection is prevented by enforcing strict variable rules
  5. Templates can only be created by privileged users

This system allows organizations to expose common operational tasks safely, such as:

  • Checking disk usage
  • Tail-ing logs
  • Listing directories
  • Restarting supervised services

All without giving shell access.

Sending a Command Template

Create Command Template

Users with the Send Command Template permission can execute a template by going to:

Devices → Send Command Template

The interface displays:

  • Template name and full command structure
  • The list of variables that must be filled
  • The devices on which the command will run
  • A validation summary showing which rules apply to each variable

Users can run the command on one or multiple devices simultaneously.
If a variable fails validation, the command cannot be executed.

Example Flow

  1. A super admin creates a template: ls -l [path]

  2. The variable “path” is set to type “Path”

  3. A user with limited permissions opens the “Send Command Template” screen
  4. They enter a directory path
  5. Validation ensures the input is safe
  6. The command is executed on the selected devices

Best Practices

  • Prefer strict variable types whenever possible
  • Avoid using “Any” unless the user is trusted
  • Use Custom or Regex validation when the input must follow a strict structure
  • Review variable rules regularly to ensure security

Permissions Required

To create/edit/delete templates:

  • super_admin
    or
  • users with the Create Command Templates permission

To execute templates:

  • users with the Send Command Template permission

Conclusion

Command Templates provide a secure, controlled way to expose operational commands to non-privileged users.
By defining strict rules per variable, administrators guarantee that commands remain safe while still empowering users to perform necessary actions across multiple devices.