2013-08-19 12:19 PM
Looking through the KB, there are a number of RBAC privs that need to be listed. As I try to work with a customer who is using VSC at their site, am wondering what the minimum perms are needed at the snapmirror destination site. Outside of the requirement for api-snapmirror-update & login-http, am wondering if all the others are actually required for the backup/recovery user.
There are more perms here than I wish to actually turn over, as an example: api-igroup-destroy, api-lun-unmap, api-nfs-exportfs-appen-rules-2 & api-nfs-exportfs-modify-rule-2, api-snapshot-delete, api-snapshot-rename, api-system-cli, api-volume-destroy, api-volume-offline, cli-ifconfig
I can see why some of these would be needed at the primary site, but at the destination - only if they also have abilities to spin up the VMs and the destination side ESX hosts are in the same vCenter - not the case in our environment.
Goal: Allow for the customer to use VSC Backup & Recovery at their site without issue (don't want errors to show up because of restrictions at the destination), allow for the customer to execute a snapmirror update.
2013-08-19 12:25 PM
Jim, you should give the RBAC User Creator tool (communities.netapp.com/docs/DOC-19074) a try. It will simplify your life ... at least when it pertains to creating RBAC user names!