2010-08-02 01:53 PM
We've been getting a lot of questions regarding AppWatch security. Here's a list from 2.0 that will help lock down users with specific roles/tasks within AppWatch. The following list of roles needs to be created on a specific user or group on the storage array. You can add or remove functionality as you like.
These tasks have GUI interfaces that allow alternate credentials to be entered.
2011-01-10 08:14 AM
Here is the bit from the AW2.1.1 BPG which will be released soon. This is the bare minimum for AppWatch to have basic monitoring functionality. Any advanced features such as PRO, Cloning, etc will not be covered with these roles.
In some IT environments, a detailed assignment of the minimal permissions is required. Table 3 describes the capabilities that are needed to connect to the storage system from ApplianceWatch PRO and gather monitoring data by using a local account on the storage system. This set of capabilities is purely for monitoring ApplianceWatch PRO basic functions and does not include any of the advanced features. This local Data ONTAP account will need to be assigned a customized role and contain the following capabilities.
Note: These are the minimum requirements for basic monitoring only and do not contain any active management, , or SCVMM PRO functionality.
Table 3) Minimum for NetApp for with ApplianceWatch PRO
NetApp Storage Capabilities
Example: Sample command to add/modify a custom role.
useradmin role modify scom-user-roles -a login-http-admin,api-system-get-version,api-system-get-info,api-system-get-vendor-info,api-cf-status,api-system-get-ontapi-version,api-vfiler-list-info,api-ems-autosupport-log,api-aggr-list-info,api-volume-list-info,api-lun-list-info,api-disk-list-info,api-storage-shelf-list-info,api-license-list-info,api-lun-map-list-info,api-volume-autosize-get,api-aggr-options-list-info,api-qtree-list,api-storage-shelf-environment-list-info,api-lun-get-space-reservation-info,api-volume-options-list-info,api-perf-object-get-instances,api-snmp-get,api-snapmirror-get-status