Subscribe

Role Permission for Halting Only does not working - CDOT

Hi,

 

I'm trying to create an user with the following role permission:

 

netappcdot823::> security login role show -vserver netappcdot823 -role operators

 

VServer       Role Name Command/Directory Query Access Level
------------------------------------------------------------
netappcdot823 operators DEFAULT                 none
netappcdot823 operators system node halt        all

 

The objective is to create an user with the halt capability only, and no more permissions if possible.

 

When I login with that user and issue a "system node halt" command, it seems there is a lack of other permissions.

 

netappcdot823::> system node halt

Warning: Are you sure you want to halt node "netappcdot823-01"? {y|n}: y

Error: not authorized for that command

 

Note: I'm doing this on Ontap Simulator 8.2.3 CDOT.

 

Changing the "DEFAULT" access level to "all" works, but this is not desired because all other commands are also allowed (acts like an admin user).

 

Any idea?

 

Thanks!

 

 

Re: Role Permission for Halting Only does not working - CDOT

Halting a node is supposed to be an administrative task, and often disruptive to the cluster too. It involves migrating LIFs, initiating takeover, ARLs, making changes to cluster quorum, RDB changes and perhaps affecting the resiliency of the cluster too. Why do you want to give the permission to a non-administrator to shutdown a node?I think  that is way beyond any logic. :-(

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Cannot find the answer you need? No need to open a support case - just CHAT and we’ll handle it for you.