Accepted Solution

Permissions needed for a SQL DBA

I'm still learning a great deal about NetApp and the way to optimally configure it for SQL Server. Our domain admins have currently given us the ability to view everything through Operations Manager, but when using powershell I'm given credential issues and they have confirmed that I don't have permission.

I wanted to use the PowerShell Toolkit to read things and pipe them into other things, and eventually we are going to be rolling Snapmanager for SQL and using powershell with it will be really nice.

What are the options from a domain admin standpoint with the whole "least privilege" idea to give me access to be able to interact with the NetApp using Powershell? Can you grant access at a lower level than root?

I'd like to gather the facts so we can discuss this idea and the pros and cons of everything, so any advice and tips would be very handy.


Re: Permissions needed for a SQL DBA

Hi, Jason.  The PowerShell Toolkit relies on Data ONTAP's role-based access control (RBAC) feature.  The credentials you provide to the Toolkit, either explicitly for HTTP/HTTPS or implicitly as your current Windows identity for RPC, are what are used to invoke Data ONTAP APIs and therefore must correspond to a user that is known to the storage controller.  The storage admin can grant any set of API permissions to a specific user or group.  So no, there is no requirement that a Toolkit user have root access.