I'm trying to abide by the Least Privilege model and create a role that only has the privileges needed to run a PowerShell script I plan to run that has these cmdlets:  Connect-NcController Get-NcFile new-ncsymlink add-nccifssymlink Remove-NcCifsSymlink Remove-NcFile I have figured out that the Connect-NcController runs a few APIs before it returns so it needs exact privileges. Here is what I have in my role so far: > security login rest-role show -vserver prod1 -role createlink Role Access Vserver Name API Level ---------- ------------- ------------------- ------ prod1 createlink /api/cluster readonly /api/protocols/cifs/unix-symlink-mapping all /api/storage/volumes readonly "/api/storage/volumes/*/files" all /api/svms readonly When I run Connect-NcController, pointing to a vserver, with the credentials of the account that is assigned the limited role, it seems to connect just fine. However, no matter which cmdlet I run afterward, I get the following error: The remote server returned an error: (403) Forbidden. After that one failed cmdlet, the rest of them run just fine. If I authenticate with an account that has more privileges (e.g. vsadmin-volume) it doesn't have this issue. So, I assume it is a privilege problem, but I have no way of knowing which one. As far as I can tell 'security audit log show' doesn't show API calls that were declined for lack of permission so I can't figure it out that way. I already added the /api/clusters and /api/svms to get as far as I have.   One oddity that I did see from 'security audit log show' was when I run with the limited role, I see this API get called, but never finish (i.e. I only see the "Pending" and not "Sucess" or "Error") GET /api/private/cli/system/node/virtual-machine/instance/show-settings?fields=consumer :: Pending When I run with an account with more privileges, that API call finishes. I tried giving permissions to that API path to my limited role, but it didn't seem to help, in that the problem is still there, and that API never seems to generate any results.   If anyone has any ideas how to resolve this problem, I would be greatly appreciative. Is there a way to get the cmdlets to show the APIs it is making?   And if you can't help with that, can you help me totally suppress the error message? I tried adding -ErrorAction SilentlyContintue but I still see an error.   Here is the script I am running: $controller = "198.19.255.116" # Vserver Management port # # This is the path to where you want the symbolic link to reside using # a full path starting with /vol/volume_name/ $fileToCreate = "/vol/app1/testlink" # # This is where you want the link to point to. It should NOT start with # /vol/volume_name/ and MUST end with a '/'. For a UNIX client, it will # be redirected to this path. $whereToPointTo = "/test-destination/subdir/" # # For a CIFS client, with a CIFS Symbolic link, they don't follow the # path the UNIX link points to, it is more of a pattern match # and is replaced with what $cifsPath is set to. $cifsPath = "/cifspath/" # # If using a "wide" CIFS Symbolic link, the client can be redirected to # another CIFS share as well as the path. But, in this case, we are # using a "local" CIFS Symbolic Link, so the client will be redirected # to the same share where the link resides. $shareName = "app1" # # Create credentials based on the username and password above. $connection = Connect-NcController -Name $controller -Credential(Get-Credential) if ($connection -ne $null) { Write-Host "Connected to $controller as $username." # # Since for some strings reason the first call always fails, so just do one and ignore it. # Unfortunately, this command generates an error message no matter what I set the ErrorAction # to. There might be another command that will honor it. Get-NcFile -Path $fileToCreate -ErrorAction SilentlyContinue -WarningAction SilentlyContinue } else { Write-Host "Failed to connect to $controller!" exit } # # Check to see if the file already exists. If it does, remove it. $fileProperties = Get-NcFile -Path $fileToCreate -ErrorAction SilentlyContinue -WarningAction SilentlyContinue if ($fileProperties -ne $null ) { write-host "Removing cifssymlink $whereToPointTo" Remove-NcCifsSymlink -UnixPath $whereToPointTo -Confirm:$false Write-Host "Removing UNIX link $fileToCreate" Remove-NcFile -Path $fileToCreate -Confirm:$false } write-host "Creating new UNIX symlink $fileToCreate to $whereToPointTo" new-ncsymlink –target $whereToPointTo –linkname $fileToCreate write-host "Creating new cifs symlink for $whereToPointTo should redirect to $sharename$whereToPointTo$cifsPath" add-nccifssymlink –unixpath $whereToPointTo -cifspath $cifsPath -locality local –sharename $shareName   ... View more

Hi everyone. I'm fairly new to PowerShell. I was tasked with verifying all of our scripts run in PowerShell 7. Currently they are running in PowerShell 5.  When used in PowerShell 5, the Get-NcVol command works perfectly, but in PowerShell 7 it misses nearly all of our volumes.  I installed the latest version of NetApp PowerShell Toolkit (ver. 9.17.1), but no change. I'm puzzled by this behavior.   The main issue right now is the command:  Get-NcVol.     Example:  PowerShell 5.      PS C:\Users\_dhiggins> $volumes = Get-NcVol      PS C:\Users\_dhiggins> $volumes.count      566    <-- this is correct   Example:  PowerShell 7:      PS C:\Users\_dhiggins> $volumes = Get-NcVol      PS C:\Users\_dhiggins> $volumes.count      23     <-- Why?? Nothing changed.   We are using Windows Server 2022 Standard, ver. 21H2 (PowerShell 7 is running in Visual Studio Code), fully updated.   Has anyone encountered this?  Do I need to use the Get-NcVol command differently in PS7??  I am unable to find a solution. I contacted NetApp and they directed me here. Thank you, Doug ... View more

I created a new role that should only have snapshot permissions to volumes ending with _stg:   security login role create -role stg-admin -vserver dc -cmddirname "volume" -access readonly security login role create -role stg-admin -vserver dc -cmddirname "vserver" -access readonly security login role create -role stg-admin -vserver dc -cmddirname "network interface" -access readonly security login role create -role stg-admin -vserver dc -cmddirname "volume snapshot" -query "-volume *_stg" -access all   A new user with that role is not able to delete a random snapshot for vol1, but is able to delete snapshots from vol2_stg. So permissions are working properly. The problem is I'm getting "Remove-NcSnapshot : [403]: not authorized for that command" on both examples, even when it does successfully delete the vol2_stg vol snapshot. Am I missing a permission it's expecting even though it is successfully deleting them? Or is this a bug in NetApp.ONTAP module?  ... View more

I use Powershell to create a script, ONTAP Powershell Version is 9.14.1 I user get-ncdisk command to get disk information, and my environment is simulator, At the beginning the command [get-ncdisk] can be use, but suddenly I can't use get-ncdisk, and system force me to use -zapi to performance, but zapi can't get some information, for example when I don't -use -zapi, I can see Shelf ID but If I use -zapi, the Shelf ID Field is empty, how can fix this problem? ... View more