Subscribe
Accepted Solution

NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

I want to give access of a user to create/delete snapshot for the group of volumes.

can I create something like a resourcegroup where I can add all the volumes and give access of those to particular user for snahsot command dir?

OR is there a way to give access by volume names?

 

I see someone mentioned that I can use -query "-volume <vol_name>" but what if there are multiple volumes?

 

 

Re: NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris

Re: NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

Security roles have been successfully created but unable to login on OCSM when granted that roles to any of the users created manually.

 

Kindly suggest a solution if possible


colsen_lanl_gov wrote:

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris



colsen_lanl_gov wrote:

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris


 

Re: NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

Hmmm - that first command in the list is the only thing you need to grant access via OCSM:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

 

Did you grant them all the appropriate "user login methods"?  They'll need 'http' for OCSM to work.  You can verify the allowed methods via the OCSM GUI (it's just the role creation you need to do via CLI).

 

Hope that helps,

 

Chris