Active IQ Unified Manager Discussions

Using the OM as a RBAC proxy? / creation of snapshots through OM?

blassen
4,965 Views

Has anybody ever used the OM as a RBAC proxy?

The aim of the game is to allow certain users only access to "their" storage objects.

It seems as if volume & lun creation and modification can be triggered through the OM but some how I don't find a way to

create snapshots for those created volumes.

Any ideas where I might look?

6 REPLIES 6

prasads
4,965 Views

Hi Blassen

Greetings. Please find below, my response to your queries.

"RBAC:"

You can create user-defined roles in OM, & you can give access only to those objects(such as Storage Systems, Volumes, Qtrees...)

Later you can assign these roles to OM users, so that they get access only to a restricted set of objects.

Refer to section 'Controlling Administrative User Access' in the OM Admin guide for more details

"creation of snapshots:"

You cannot use OM to create snapshots or even Volumes. Check with "Provisioning Manager" product for more details.

You can create LUN only on Windows, by using Host Agent & SnapDrive for Windows procuct.

Let me know if you need more details on the same.

Regards,

Prasad

prasads
4,965 Views

As Ravindra Kumar reminded me of "dfm run cmd".

You can do most of the filer operations from OM, if you are familiar with ONTAP CLI.

Steps to run a command from OM, on one or more Storage System(s)

for single Storage System:

1. Go to 'Appliance Details' for a Storage system

2. On the left hand side, look for 'Appliance Tools', and click on 'Run a Command'

3. It takes you to 'Run Command' page, where you can enter ONTAP command 'Appliance Command'

4. This will create a 'run job' & the result will be available under a link in the same 'Run Command' page

Note: If you have created any object say volume or qtree, using 'Run Command',

you need to either refresh the monitoring samples manually or wait for it to run automatically according to the monitoring interval set value

Regards,

Prasad S

fenton
4,965 Views

SnapDrive for Unix also supports the use of RBAC permissions where the capabilities of that user can be defined within Operations Manager (essentially SDU uses Operations Manager as it's RBAC authority)

This is described in much more detail here:

http://now.netapp.com/NOW/knowledge/docs/snapdrive/relunix41/html/software/install_hpux/accessing/concept/c_sd_accs_rbac-in-sdu.html

blassen
4,965 Views

Thank you very much ... that is a good hint

Grüsse / Greetings

Bengt Lassen

Professional Service Consultant

NetApp

Gladbecker Str. 5

D-40472 Düsseldorf

+49 (0) 211 43718 568 Tel

+49 (0) 211 43718 22 Fax

+49 (0) 151 12055 898 Mobil

www.netapp.de

Diese e-Mail kann vertrauliche und/oder rechtlich geschützte

Informationen enthalten. Wenn Sie nicht der richtige Adressat sind

oder diese e-Mail irrtümlich erhalten haben, informieren Sie bitte

sofort den Absender und vernichten Sie diese e-Mail. Das unerlaubte

Kopieren sowie die unbefugte Weitergabe dieser e-Mail und ihrer

Inhalte ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If

you are not the intended addressee or have received this e-mail in

error, please notify the sender immediately and destroy this e-mail.

Any unauthorized copying, disclosure or distribution of the material

in this e-mail is strictly forbidden.

Network Appliance GmbH, Bretonischer Ring 6, 85630 Grasbrunn,

Handelsregister: AG München HRB113907, Geschäftsführer: Manfred Reitner

Am 10.01.2009 um 03:08 schrieb rich fenton:

blassen,

>

A new message was posted in the thread "Using the OM as a RBAC

proxy? / creation of snapshots through OM?":

>

http://communities.netapp.com/message/5930#5930

>

Author : rich fenton

Profile : http://communities.netapp.com/people/fenton

>

Message:

smoot
4,965 Views

You can also define command aliases using "dfm run alias import". Command aliases allow you to define permissions needed to execute the command. I haven't used that command in years, so I don't remember the exact details of what you can allow or deny.

kostadis
4,965 Views

Another of our customers was able to use OM as an RBAC proxy by using the DFM server API's.

For a description of how this was done check out my blog.

The key idea is that you use resource groups to configure the objects, assign permissions to those objects and then have wrapper scripts to perform the operations you want to do.

cheers,

kostadis

Public