Subscribe
Accepted Solution

System Manager GUI Manage Individual vserver on CDOT

Hi,

I have a CDOT cluster on 8.3.  My manager wants individual business units to manage their own vserver via System Manager.

 

It is my understanding that it is not currently possible for System Manager to  manager an individual vserver on a cdot array.

 

It this true?

 

If it is true, are there any plans to provide this capability in the future?

 

Thanks,

Re: System Manager GUI Manage Individual vserver on CDOT

Hi,

my name is Chriz Ott, I'm working with NetApp as a Principal Architect.

 

Thank you very much for your question, your usecase is one of the use-cases cDOT was designed for - Secure Multi Tenancy.

 

Unfortunately you are correct, currently it is not possible to manage individual SVMs using the System Manager.

There are definitely plans to bring this functionality into System Manager, however in the past they have been defered for the benefit of other features.

 

A workaround could be using WFA (Worflow Automation) to provide certain "operational tasks" that application owners would usually require and have WFA take care of RBAC (including intergration into an existing LDAP).

Another way would be to use our SnapManager products for individual applications such as SQL, Exchange, Sharepoint etc. to connect to the SVM and manager their storage.

 

I hope this answer is usefull for you, please don't hesitate to come back to me in case you have more questions.

 

Cheers chriz

 

P.S. if you feel this answer is useful, please KUDO or "correct answer" so other people may find it faster.

P.S. if you feel this post is useful, please KUDO or “accept as a solution" so other people may find it faster.

Re: System Manager GUI Manage Individual vserver on CDOT

I would like to ask you about this topic.
I would like to perform individual business units to manage their own vserver via System Manager,too.

The OnCommand System Manager 8.3 is included with Data ONTAP as a web service.


It seems that cDot8.3 has "vserver services web access" command.
https://library.netapp.com/ecmdocs/ECMP12452955/html/vserver/services/web/modify.html

 

Can we manage an individual vserver on a cdot array to a certain degree ?

 

Best regards,

Re: System Manager GUI Manage Individual vserver on CDOT

Mikky,

 

It looks like you can only enable ontapi access on the vserver level using this, and not the "portal" and "compat" services.

 

Fred

Re: System Manager GUI Manage Individual vserver on CDOT

Hi. Any news regarding possibility to manage SVM by vsadmin via System Manager?

Re: System Manager GUI Manage Individual vserver on CDOT

Hi,

 

I am running 9.1 now.. and still no posiblilty to give indivual SVM gui access.

it would be a nice feature

"/sysmgr/SysMgr.html " svm

Not Found

The requested URL /sysmgr/SysMgr.html was not found on this server.

Re: System Manager GUI Manage Individual vserver on CDOT

Hello,

 

Although OCSM access can't be enabled at an SVM-by-SVM level, you can create your SVM administrators a top-level cluster account and then grant their role individualized permissions to their SVM (thus granting them access via OCSM).  We have done this with the system administrators for our Oracle E-Business Suite systems and they're able to do almost everything they need to do.  The process looks something like this:

 

security login role create -role <ROLE NAME> -cmddirname DEFAULT -access readonly

security login role create -role <ROLE NAME> -cmddirname "volume qtree" -query "-vserver <SVM NAME>" -access all

security login role create -role <ROLE NAME> -cmddirname "vserver export-policy" -query "-vserver <SVM NAME>" -access all

vserver services web access create -vserver <CLUSTER SVM> -name sysmgr -role <ROLE NAME>

security login create -user-or-group-name <USERNAME> -application http -authentication-method password -role <ROLE NAME>

security login create -user-or-group-name <USERNAME> -application ontap -authentication-method password -role <ROLE NAME>

security login create -user-or-group-name <USERNAME> -application ssh -authentication-method password -role <ROLE NAME>

  

This is actually preferable to an SVM-by-SVM user account for us in that these sysadmins have multiple SVMs and would need accounts on each one.  We overcome this by applying a wildcard to the query object of the role - since our SVMs follow a standard naming convention we just grant them access to any SVM named "oracle-*".  Also, we wanted to limit some of what they could do inside the SVM and being an SVMadmin would have been too permissive for our use case.

 

Hope that helps,

 

Chris