VMware Solutions Discussions

OnTap RBAC for VSC @ Snapmirror Destination

JIM_SURLOW
2,429 Views

Looking through the KB, there are a number of RBAC privs that need to be listed.  As I try to work with a customer who is using VSC at their site, am wondering what the minimum perms are needed at the snapmirror destination site.  Outside of the requirement for api-snapmirror-update & login-http, am wondering if all the others are actually required for the backup/recovery user.

There are more perms here than I wish to actually turn over, as an example: api-igroup-destroy, api-lun-unmap, api-nfs-exportfs-appen-rules-2 & api-nfs-exportfs-modify-rule-2, api-snapshot-delete, api-snapshot-rename, api-system-cli, api-volume-destroy, api-volume-offline, cli-ifconfig

I can see why some of these would be needed at the primary site, but at the destination - only if they also have abilities to spin up the VMs and the destination side ESX hosts are in the same vCenter - not the case in our environment.

Goal:  Allow for the customer to use VSC Backup & Recovery at their site without issue (don't want errors to show up because of restrictions at the destination), allow for the customer to execute a snapmirror update.

Thoughts?

TIA,

Jim

1 REPLY 1

dbkelly
2,429 Views

Jim, you should give the RBAC User Creator tool (communities.netapp.com/docs/DOC-19074) a try.   It will simplify your life ... at least when it pertains to creating RBAC user names!

Public