Rapid Cloning Utility 3.0 - RBAC

by costea Former NetApp Employee on ‎2010-02-18 06:21 AM

There are two methods for configuring Role-Based Access Control (RBAC) within the Rapid Cloning Utility.  The first is controller-based where users are configured on the controller with varying permissions allowed for storage based operations.  The second is based on vCenter privileges and allows for the creation of roles that can be assigned to various users.

Controller-based RBAC

The controller-based RBAC approach blocks VI client users from having access to storage functionality that may only be allowed by the storage administrator.  Based on the user that was selected when adding the controller to the Rapid Cloning Utility, certain functionality will be enabled and disabled respectively in the UI.  For example, a controller that was added with a user role of “Create Clones” can only access the “Create rapid clones” wizard.  Note that controllers that are on the domain do not need to be added with the domain name specified as part of the username.  Only the username must be specified.  The graphical representation below shows the 4 controller-based roles supplied by RCU:

Create Clones

  • Minimum role (required to add controller)
  • Permission to use file level flexclone to clone VMs
  • Required APIs:
    • api-system-get-version

    • login-http-admin

    • api-system-get-info

    • api-system-cli

    • api-license-list-info

    • cli-ifconfig

    • api-aggr-list-info

    • api-volume-list-info

    • api-lun-list-info

    • api-lun-map-list-info

    • api-igroup-list-info

    • api-ems-autosupport-log

    • api-file-get-file-info

    • api-clone-*

    • api-file-create-directory

    • api-file-read-file

    • api-file-delete-file

    • api-file-write-file

    • cli-mv

    • api-file-delete-directory

    • cli-ndmpd

    • cli-ndmpcopy

    • api-useradmin-user-list

    • api-cf-status

    • api-snapshot-list-info

    • api-volume-autosize-get

    • api-iscsi-session-list-info
    • api-iscsi-portal-list-info

    • api-fcp-service-status

    • api-iscsi-service-status

    • cli-df

    • api-snapmirror-get-volume-status

    • api-quota-report

    • api-qtree-list

    • api-system-api-list

    • api-vfiler-list-info

The steps below show how to create a user and assign the ‘Create Clones’ Role to the user:

>useradmin role add rcuCreateClonesRole1 -a api-aggr-list-info,api-cf-status,api-clone-*,api-ems-autosupport-log,api-fcp-service-status,
>useradmin role add rcuCreateClonesRole2 -a api-iscsi-session-list-info,api-license-list-info,api-lun-list-info,api-lun-map-list-info,
>useradmin role add rcuCreateClonesRole3 -a cli-df,api-snapmirror-get-volume-status,api-quota-report,api-qtree-list,api-system-api-list,
>useradmin group add rcuCreateClones -r rcuCreateCloneRole1,rcuCreateCloneRole2,rcuCreateCloneRole3
>useradmin user add rcuCreateClonesUser -g rcuCreateClones

Create Storage

  • Includes previous role
  • Permission to create storage objects (Create Volume/LUN)
  • Additional APIs:
    • api-volume-create
    • api-volume-set-option
    • api-volume-autosize-set
    • api-sis-enable
    • api-sis-start
    • api-snapshot-create
    • api-snapshot-set-reserve
    • api-volume-clone-create
    • api-nfs-exportfs-list-rules-2
    • api-nfs-exportfs-modify-rule-2
    • api-nfs-exportfs-load-exports
    • api-igroup-create
    • api-lun-create-by-size
    • api-lun-map
    • api-lun-set-comment
    • api-igroup-add
    • cli-qtree
    • cli-iscsi

To create a user and assign the ‘Create Storage’ Role to the user you must first create the ‘Create Clones’ Role as described above.  The example below shows how to create a user and assign the ‘Create Storage’ Role:

>useradmin role add rcuCreateStorageRole -a api-volume-create,api-volume-set-option,api-volume-autosize-set,api-sis-enable,api-sis-start,
>useradmin group add rcuCreateStorage -r rcuCreateStorageRole
>useradmin user add rcuCreateStorageUser -g rcuCreateClones,rcuCreateStorage

Modify Storage

  • Includes previous roles
  • Permission to manipulate storage objects (Resize Volume/LUN, Manage Deduplication settings)
  • Additional APIs
    • api-volume-size
    • api-sis-disable
    • api-sis-stop
    • api-lun-resize

The example below shows how to create a user and assign the ‘Modify Storage’ Role:

>useradmin role add rcuModifyStorageRole -a api-volume-size,api-sis-disable,api-sis-stop,api-lun-resize
>useradmin group add rcuModifyStorage -r rcuModifyStorageRole
>useradmin user add rcuModifyStorageUser -g rcuCreateClones,rcuCreateStorage,rcuModifyStorage

Destroy Storage

  • Includes previous roles
  • Permission to destroy storage objects (Destroy Volume/LUN)
  • Additional APIs
    • api-volume-offline
    • api-volume-destroy
    • api-lun-offline
    • api-lun-destroy

The example below shows how to create a user and assign the ‘Destroy Storage’ Role:

>useradmin role add rcuDestroyStorageRole -a api-volume-offline,api-volume-destroy,api-lun-offline,api-lun-destroy
>useradmin group add rcuDestroyStorage -r rcuDestroyStorageRole
>useradmin user add rcuDestroyStorageUser -g rcuCreateClones,rcuCreateStorage,rcuModifyStorage,rcuDestroyStorage

vCenter RBAC

The Rapid Cloning Utility 3.0 has added the privileges shown in the screen capture below to the vCenter privilege list:


This privilege allows users to add/remove storage controllers from RCU as well as configure the properties (aggregates, volumes, and interfaces) that can be used when provisioning new storage or cloning virtual machines.  The controller configuration screen is found on the storage controllers tab under the home view of the Rapid Cloning Utility.  The ‘Configure’ privilege must be given at the vCenter Server level.  Assigning this privilege on any other object within the inventory will have no effect.  Please note that these privileges must be granted in addition to the privileges required by vCenter.  For example, you need to have rights to create a datastore on a host in addition to the NetApp Rapid Cloning Utility=>Datastore=>Provision privilege.

Create Rapid Clones

This privilege allows users to access the rapid clones wizard within the Rapid Cloning Utility.  The wizard provides the functionality of creating new virtual machine clones on NetApp storage as well as importing those clones into VMware View and Citrix XenDesktop.

Datastore => Manage datastores

The 'Manage' datastores role provides assigned users with the ability to resize datastores, manage deduplication settings for underlying volumes, as well as destroy datastores on NetApp storage controllers.

Datastore => Provision

The 'Provision" privilege gives the user access to the provision datastores wizard within the Rapid Cloning Utility.  The wizard allows the creation of NFS and VMFS (FCP/iSCSI) based datastores on NetApp storage controllers.

Re-deploy clones

This privilege gives users access to the re-deploy functionality found on the re-deploy tab within the home view of the Rapid Cloning Utility.  Users are presented with baseline virtual machines and allowed to choose which virtual machine children clones can be re-deployed.  Please note that in this release, the ‘Re-Deploy clones’ privilege must be given at the vCenter Server level.  Assigning this privilege on any other object within the inventory will have no effect.


This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.

In accordance to our Code of Conduct and Community Terms of Use DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information
  • Copyrighted materials without the permission of the copyright owner

Files and content that do not abide by the Community Terms of Use or Code of Conduct will be removed. Continued non-compliance may result in NetApp Community account restrictions or termination.