2012-10-31 08:15 AM
This is what we did and works.
We found this document - https://communities.netapp.com/thread/20542
We created a Windows AD test group called "ADReadOnlyGroup" and added storage admins.
We SSh'd to a controller and issued the following commands.
useradmin role add ReadOnly –a “ above api commands”
useradmin group add ReadOnlyGroup -Group -r ReadOnly
useradmin domainuser add ADReadOnlyGroup -g ReadOnlyGroup
We used OnCommand System Manager and tried logging in to a controller as a domain user of the AD group. We were able to login and unable to create a volume,share etc. This is what we want. Works perfectly.
But we have so many controllers.
Question is - Is there a way in DFM to achieve the same thing. Basically create one unique readonly role ,group etc in DFM and push to all the controllers so few people have read only access using OnCommand System Manager
Solved! SEE THE SOLUTION
2012-10-31 08:52 AM
Actually - Yes - and you arer already half way through ;-)
Now that you already have the role, group and user created, OnCommand Core (aka DFM, aka Operations Manager) will pick it up after its next scan of this storage controller.
Afterwards you are able to push the role, group and user to all remaining controllers.
First you push the role, afterwards the group and lastly the user. Unfortunately ir cannot be done in a single shot.
Following are the steps with the "old" Operations Manager GUI:
Navigate to "Host Users":
Select tab "roles":
In the "List of existing roles" find the controller and the role that's already been configured:
Click on "push".
In the following dialogue click "select" to select the controllers to push the role to:
Select the appropriate controllers in the pop-up window in click "OK":
Now click "push" in the previous dialogue and DFM will create and execute a job to push the role to all selected controllers.
Perform the same steps with the group and user you created. Just click on the "User Groups" or "Domain Users" tab in step 2.). The rest is the same.