ONTAP Discussions

Needed: overview useradmin capabilities

marvin_b_
5,081 Views

Hi all

For a few non-admins am I setting up permissions so they can use the Netapp System Manager to view settings and status.

I am running a FAS3140 with ontap 8.02 and a FAS 2050 with ontap 7.3.

I have created a new role using the useradmin command and have setup capabilities.

However there are a few capabilities missing for the new role.

The ability to view the qtrees, snapshot copies and the cifs shares.

The role that has been created so far:

Note:  the individual capabilities are listed on separate lines to make them more readable.  Ofcourse the command should be on 1 single line.

Note2: These capabilities were found in other posts in these forums.

useradmin role add <name of role> -a

  api-aggr-check-spare-low,

  api-aggr-get*,

  api-aggr-list-info,

  api-aggr-options-list-info,

  api-cf-status,

  api-disk-list-info,

  api-disk-sanown-list-info,

  api-license-list-info,

  api-options-get,

  api-perf-object-get-instances,

  api-snapshot-reserve-list-info,

  api-snmp-status,

  api-system-get*,

  api-volume-get*,

  api-volume-list*,

  api-volume-options-list*,

  cli-priv,

  login-http-admin

Question:

Does anyone know which capabilities are missing?

Question 2:

Is there any documentation where all the roles are listed?

Any help would be appreciated!

Thanks.

1 ACCEPTED SOLUTION

bsti
5,081 Views

The only really good list of capabilties I've ever seen was in the NetApp Manageability SDK, but you need NOW access and you have to apply for access to the SDK to get it.  Another, easier place to look is in the NetAPp Powershell Toolkit, here:  https://communities.netapp.com/community/products_and_solutions/microsoft/powershell/data_ontap_powershell_toolkit_downloads

Download the file and look in the webhelp directory.

Another I've found useful is here:

http://media.netapp.com/documents/tr-3864.pdf

ON page 3.  That is a reasonable list of all of the available capabilities.  I've never found a 100% comprehensive list, so if anyone out there knows of one, please post!

Try these capabilities:

Viewing Qtrees:  api-qtree-list

List Snapshots:  api-snapshot-list-info

List Cifs shares:  api-cifs-share-list-*

View solution in original post

3 REPLIES 3

bsti
5,082 Views

The only really good list of capabilties I've ever seen was in the NetApp Manageability SDK, but you need NOW access and you have to apply for access to the SDK to get it.  Another, easier place to look is in the NetAPp Powershell Toolkit, here:  https://communities.netapp.com/community/products_and_solutions/microsoft/powershell/data_ontap_powershell_toolkit_downloads

Download the file and look in the webhelp directory.

Another I've found useful is here:

http://media.netapp.com/documents/tr-3864.pdf

ON page 3.  That is a reasonable list of all of the available capabilities.  I've never found a 100% comprehensive list, so if anyone out there knows of one, please post!

Try these capabilities:

Viewing Qtrees:  api-qtree-list

List Snapshots:  api-snapshot-list-info

List Cifs shares:  api-cifs-share-list-*

marvin_b_
5,081 Views

That was very helpfull.    Thanks a lot!  

As you suggested I added these:

api-cifs-session-list-*

api-cifs-share-list-*

api-qtree-list-*

api-snapshot-list-info

api-snapshot-reserve-list-info

Also the PDF-link was very helpfull.

The 2 capabilities I added extra were found when I looked in the file  <filer>/etc/log/ems.   (just found this after reading your post)

This logfile contains entries like:

   <LR d="03Jan2012 10:19:16" n="filername" pn="partner filer" t="1325582356" id="1314606018/25600" p="4" s="C=1U" o="api_mpool_09" vf="">

   <useradmin_unauthorized_user_1

    username="name of user"

    capability="api-qtree-list-iter-start"/>

   </LR>

Just add the needed capability and you're done.

steve_francis
5,081 Views

Was running into similar issue, and found this in man on useradmin:

The api-* type includes all of the Ontap API calls. These commands are only available via login-httpadmin, so in general, any api-* command must also include this login. The format for this is api-<ontap-api-command> which means allow a specific command/subcommand. Here, it is possible to list only subcommands, like api-system-get-info or a command and it’s subcommands, like api-systemget-* , or even api-system-*

Public