Subscribe

ApplianceWatch PRO - OnTap Roles

We've been getting a lot of questions regarding AppWatch security. Here's a list from 2.0 that will help lock down users with specific roles/tasks within AppWatch.   The following list of roles needs to be created on a specific user or group on the storage array.  You can add or remove functionality as you like.

AppWatch MP, discovery & monitoring

  • aggr-list-info
  • aggr-options-list-info
  • cf-status
  • disk-list-info
  • ems-autosupport-log
  • lun-get-attribute
  • lun-get-serial-number
  • lun-get-space-reservation-info
  • lun-list-info
  • perf-object-get-instances
  • qtree-list
  • quota-report-iter-start/next/end
  • snapmirror-get-status
  • snmp-get
  • storage-shelf-environment-list-info
  • storage-shelf-list-info
  • system-get-info
  • system-get-ontapi-version
  • system-get-version
  • system-get-vendor-info
  • vfiler-list-info
  • volume-list-info

AppWatch MP, console tasks

These tasks have GUI interfaces that allow alternate credentials to be entered.

  • license-list-info
  • lun-list-info
  • sis-disable
  • sis-enable
  • sis-start
  • sis-stop
  • system-get-version
  • volume-autosize-get
  • volume-autosize-set
  • volume-list-info
  • volume-size

AppWatch PRO MP, discovery & monitoring

  • license-list-info
  • lun-list-info
  • system-get-version
  • volume-list-info

AppWatch PRO MP, PRO Tip auto-remediation

  • license-list-info
  • lun-list-info
  • lun-online
  • sis-enable
  • sis-start
  • system-get-version
  • volume-list-info
  • volume-online
  • volume-size

Re: ApplianceWatch PRO - OnTap Roles

*Will need different roles for 2.1 but most should remain the same.  We will be adding more roles as new functionality has been released in 2.1*

Re: ApplianceWatch PRO - OnTap Roles

Hi Watan,

We are installing/using AppWatch 2.1.1. Have you got an updated (full) list of roles for AppWatch 2.1.1?

Thanks in Advance.

WH

Re: ApplianceWatch PRO - OnTap Roles

Hi WH,

Here is the bit from the AW2.1.1 BPG which will be released soon.  This is the bare minimum for AppWatch to have basic monitoring  functionality.  Any advanced features such as PRO, Cloning, etc will not be covered with these roles.

1.1       BEST PRACTICES for NETAPP STORAGE MINIMAL ACCESS CONTROL

In some IT environments, a detailed assignment of the minimal permissions is required. Table 3 describes the capabilities that are needed to connect to the storage system from ApplianceWatch PRO and gather monitoring data by using a local account on the storage system. This set of capabilities is purely for monitoring ApplianceWatch PRO basic functions and does not include any of the advanced features. This local Data ONTAP account will need to be assigned a customized role and contain the following capabilities.

Note: These are the minimum requirements for basic monitoring only and do not contain any active management, cmdlets, or SCVMM PRO functionality.

Table 3) Minimum capabilities for NetApp storage users for monitoring with ApplianceWatch PRO.

NetApp Storage   Capabilities

login-http-admin

api-system-get-version

api-system-get-info

api-system-get-vendor-info

api-cf-status

api-system-get-ontapi-version

api-vfiler-list-info

api-ems-autosupport-log

api-aggr-list-info

api-volume-list-info

api-lun-list-info

api-disk-list-info

api-storage-shelf-list-info

api-license-list-info

api-lun-map-list-info

api-volume-autosize-get

api-aggr-options-list-info

api-qtree-list, api-storage-shelf-environment-list-info

api-lun-get-space-reservation-info

api-volume-options-list-info

api-perf-object-get-instances

api-snmp-get

api-snapmirror-get-status

Example: Sample command to add/modify a custom role.

useradmin role modify scom-user-roles -a login-http-admin,api-system-get-version,api-system-get-info,api-system-get-vendor-info,api-cf-status,api-system-get-ontapi-version,api-vfiler-list-info,api-ems-autosupport-log,api-aggr-list-info,api-volume-list-info,api-lun-list-info,api-disk-list-info,api-storage-shelf-list-info,api-license-list-info,api-lun-map-list-info,api-volume-autosize-get,api-aggr-options-list-info,api-qtree-list,api-storage-shelf-environment-list-info,api-lun-get-space-reservation-info,api-volume-options-list-info,api-perf-object-get-instances,api-snmp-get,api-snapmirror-get-status

Re: ApplianceWatch PRO - OnTap Roles

Much appreciated - thanks Watan.

WH

ApplianceWatch PRO - OnTap Roles

Hi Watan

Do you know when (or if it as already be released where) this AW best practice guide will be available ?

Thanks in advanced

Regis

ApplianceWatch PRO - OnTap Roles

ApplianceWatch PRO - OnTap Roles

Thanks a lot. I did not find anything using the internal search engine. I should have used google instead.

ApplianceWatch PRO - OnTap Roles

Sure np.  Please let us know if you find any gaps or any areas we can improve in the docs.