Subscribe
Accepted Solution

NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

I want to give access of a user to create/delete snapshot for the group of volumes.

can I create something like a resourcegroup where I can add all the volumes and give access of those to particular user for snahsot command dir?

OR is there a way to give access by volume names?

 

I see someone mentioned that I can use -query "-volume <vol_name>" but what if there are multiple volumes?

 

 

Re: NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris