The cluster administration tools like crm shell (crmsh), Hawk or the Pacemaker GUI can be used by root or any user in the group haclient. By default, these users have full read/write access. To limit access or assign more fine-grained access rights, you can use Access control lists (ACLs).
Access control lists consist of an ordered set of access rules. Each rule allows read or write access or denies access to a part of the cluster configuration. Rules are typically combined to produce a specific role, then users may be assigned to a role that matches their tasks.
NOTE: CIB Syntax Validation Version and ACL Differences
This ACL documentation only applies if your CIB is validated with the CIB syntax version pacemaker-2.0 or higher. For details on how to check this and upgrade the CIB version, see Upgrading the CIB Syntax Version.
If you have upgraded from SUSE Linux Enterprise High Availability Extension 11 SP3 and kept your former CIB version, refer to the Access Control List chapter in the High Availability Guide for SUSE Linux Enterprise High Availability Extension 11 SP3. It is available from http://www.suse.com/documentation/.