Subscribe

Permissions required for PowerShell Cmdlets

Does anyone know if there is a document that specifies which permissions are
required to run each of the PowerShell cmdlets?  For example, a simple script to
modify volume quotas and run reports requires the user to have access to the
following commands:

  • >version  (Runs after the Connect-NcController cmdlet)
  • >volume quota *    (Required to query or modify quotas)
  • >jobs show    (Required when running Start-NcQuotaResize)

Once I figured this out, things went as planned but it took a bit of
troubleshooting to figure out the correct permissions.  If this was documented
somewhere it would make the scripting much easier.

Re: Permissions required for PowerShell Cmdlets

Hello Pitt,

The User account which you use to connect to the controller should have the appropriate permission on the filer so that it can invoke cmdlets on the controller.

Thanks,

Vinith

Re: Permissions required for PowerShell Cmdlets

I don't think they are centrally documented anywhere, but one thing that will help you is to examine the help for the cmdlets in question.  Under the Notes section (usually), it will detail the apis that get used by the cmdlet.  I think most if not all cmdlets map to an API on the back-end.  Use the list of APIs used to determine which api-* permissions you need to assign to your roles.

For example, Get-NaVol uses these APIs according to the help:

API: volume-list-info-iter-start, volume-list-info-iter-next, volume-list-info-iter-end, volume-list-info

So create a new role with the following capability:  api-volume-*

New-NaRole -Role test -Capabilities api-volume-*

Re: Permissions required for PowerShell Cmdlets

You can use Get-NaHelp or Get-NcHelp to see which APIs are used:

PS C:\> Get-NaHelp -Category aggr | select name, api | ft -AutoSize

Name                   Api

----                   ---

Add-NaAggr             {aggr-add}

Confirm-NaAggrSpareLow {aggr-check-spare-low}

Get-NaAggr             {aggr-list-info}

Get-NaAggrFilerInfo    {aggr-get-filer-info}

Get-NaAggrMediaScrub   {aggr-mediascrub-list-info}

Get-NaAggrOption       {aggr-options-list-info}

Get-NaAggrScrub        {aggr-scrub-list-info}

Get-NaAggrSpace        {aggr-space-list-info}

Get-NaAggrVerify       {aggr-verify-list-info}

New-NaAggr             {aggr-create}

New-NaAggrMirror       {aggr-mirror}

Remove-NaAggr          {aggr-destroy}

Rename-NaAggr          {aggr-rename}

Resume-NaAggrScrub     {aggr-scrub-resume}

Resume-NaAggrVerify    {aggr-verify-resume}

Set-NaAggr             {aggr-online, aggr-offline, aggr-restrict}

Set-NaAggrOption       {aggr-set-option}

Set-NaAggrRaidType     {aggr-modify-raid-type}

Split-NaAggrMirror     {aggr-split}

Start-NaAggrScrub      {aggr-scrub-start}

Start-NaAggrVerify     {aggr-verify-start}

Stop-NaAggrScrub       {aggr-scrub-stop}

Stop-NaAggrVerify      {aggr-verify-stop}

Suspend-NaAggrScrub    {aggr-scrub-suspend}

Suspend-NaAggrVerify   {aggr-verify-suspend}

Re: Permissions required for PowerShell Cmdlets

Thanks for all the posts.  The Get-NaHelp cmdlet that you mentioned will be extremely helpful.  I'm trying to control access with custom roles so this will allow me to restrict access to only the API commands necessary.

Thanks,

Bill