RBAC with VSC 6.2.1 and ONTAP 9.0

Hi everybody,


I have created a role and user for VSC on ONTAP 9.0 cluster via RBAC user creator. The user has only discovery permissions, because it is not used for backup, restore or cloning operations.


The role has the following capabilities:


security login role show -role vsc_role
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
vmware     vsc_role      DEFAULT                                       none
                         lun create                                    readonly
                         lun geometry                                  readonly
                         lun igroup create                             readonly
                         lun igroup modify                             readonly
                         lun igroup show                               readonly
                         lun mapping create                            readonly
                         lun mapping delete                            readonly
                         lun mapping show                              readonly
                         lun modify                                    readonly
                         lun show                                      readonly
                         network interface                             readonly
                         security login role show-user-capability      all
                         set                                           all
                         snapmirror create                             all
                         snapmirror list-destinations                  readonly
                         snapmirror show                               all
                         version                                       readonly
                         volume create                                 readonly
                         volume efficiency modify                      all
                         volume efficiency show                        all
                         volume efficiency stat                        all
                         volume modify                                 readonly
                         volume qtree create                           readonly
                         volume qtree show                             readonly
                         volume quota report                           readonly
                         volume show                                   readonly
                         vserver                                       readonly
                         vserver export-policy create                  readonly
                         vserver export-policy delete                  readonly
                         vserver export-policy rule create             readonly
                         vserver export-policy rule delete             readonly
                         vserver export-policy rule modify             readonly
                         vserver export-policy rule show               readonly
                         vserver export-policy show                    readonly
                         vserver fcp create                            readonly
                         vserver fcp delete                            readonly
                         vserver fcp initiator show                    readonly
                         vserver fcp interface show                    readonly
                         vserver fcp modify                            readonly
                         vserver fcp show                              readonly
                         vserver iscsi create                          readonly
                         vserver iscsi delete                          readonly
                         vserver iscsi modify                          readonly
                         vserver iscsi show                            readonly
                         vserver nfs create                            readonly
                         vserver nfs delete                            readonly
                         vserver nfs modify                            readonly
                         vserver nfs show                              readonly
VSC 6.2.1 reports the status  "Insufficient previleges" with error message "One or more required RBAC capabilities not specified for this user".
The VSC logfile logs messages like "API failed. Insufficient privileges: user 'netapp_vsc' does not have write access to this resource (errno=13003) (called from  com.netapp.exoforce.server.zapi.ControllerUtilCMode.getDedupeSizeShared(...) on line 629)".
My thought was, that the resource "getDedupeSizeShared" should be in "volume efficiency show" but it seems to be not.
So my question is: Which capability contains the resource "getDedupeSizeShared" and has to be added/modified?

Re: RBAC with VSC 6.2.1 and ONTAP 9.0

You defined the Discovery role privileges for the directly connected SVMs, is that correct?
The Discovery role enables you to discover all Storage Virtual Machines (SVMs, formerly known as Vservers) that are directly connected to VSC.
The thing is that the mentioned getDedupeSizeShared(...) is used only if you are trying to discover a not direct connected vserver.
Can you please check?

Re: RBAC with VSC 6.2.1 and ONTAP 9.0

There are several SVMs configured at the cDOT cluster. But only one SVM (called vmware) is registered to the VSC. The discovery role was created inside the SVM "vmware". Also, the cluster is not registered to the VSC.




Re: RBAC with VSC 6.2.1 and ONTAP 9.0

[ Edited ]



the GetDedupeSizeShared is not a real zapi call hece the tool uses the system-cli command with the options


set diag

sis stat -vserver <vservername> -volume <volumename> -field shared-data


you can try to run the same command with the target user.


then as far as i can see you did not define all the required privileges for the discovery role.

Please dobule check. For example you have to add the system node run as all access and other.

here the list on page 28

Re: RBAC with VSC 6.2.1 and ONTAP 9.0

Checked user and role again and found, the both were created at the cluster, not in SVM context. Asked the customer to modify the role according to the documentation.