ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

ApplianceWatch PRO - OnTap Roles

watan
NetApp Alumni
‎2010-08-02 01:53 PM
6,098 Views

We've been getting a lot of questions regarding AppWatch security. Here's a list from 2.0 that will help lock down users with specific roles/tasks within AppWatch.   The following list of roles needs to be created on a specific user or group on the storage array.  You can add or remove functionality as you like.

AppWatch MP, discovery & monitoring

  • aggr-list-info
  • aggr-options-list-info
  • cf-status
  • disk-list-info
  • ems-autosupport-log
  • lun-get-attribute
  • lun-get-serial-number
  • lun-get-space-reservation-info
  • lun-list-info
  • perf-object-get-instances
  • qtree-list
  • quota-report-iter-start/next/end
  • snapmirror-get-status
  • snmp-get
  • storage-shelf-environment-list-info
  • storage-shelf-list-info
  • system-get-info
  • system-get-ontapi-version
  • system-get-version
  • system-get-vendor-info
  • vfiler-list-info
  • volume-list-info

AppWatch MP, console tasks

These tasks have GUI interfaces that allow alternate credentials to be entered.

  • license-list-info
  • lun-list-info
  • sis-disable
  • sis-enable
  • sis-start
  • sis-stop
  • system-get-version
  • volume-autosize-get
  • volume-autosize-set
  • volume-list-info
  • volume-size

AppWatch PRO MP, discovery & monitoring

  • license-list-info
  • lun-list-info
  • system-get-version
  • volume-list-info

AppWatch PRO MP, PRO Tip auto-remediation

  • license-list-info
  • lun-list-info
  • lun-online
  • sis-enable
  • sis-start
  • system-get-version
  • volume-list-info
  • volume-online
  • volume-size
0 Kudos
View By:
8 REPLIES 8

watan
NetApp Alumni
‎2010-08-02 01:55 PM
6,098 Views

*Will need different roles for 2.1 but most should remain the same.  We will be adding more roles as new functionality has been released in 2.1*

0 Kudos

waynehapu
‎2011-01-09 02:20 PM
In response to watan
6,098 Views

Hi Watan,

We are installing/using AppWatch 2.1.1. Have you got an updated (full) list of roles for AppWatch 2.1.1?

Thanks in Advance.

WH

0 Kudos

watan
NetApp Alumni
‎2011-01-10 08:14 AM
In response to waynehapu
6,098 Views

Hi WH,

Here is the bit from the AW2.1.1 BPG which will be released soon.  This is the bare minimum for AppWatch to have basic monitoring  functionality.  Any advanced features such as PRO, Cloning, etc will not be covered with these roles.

1.1       BEST PRACTICES for NETAPP STORAGE MINIMAL ACCESS CONTROL

In some IT environments, a detailed assignment of the minimal permissions is required. Table 3 describes the capabilities that are needed to connect to the storage system from ApplianceWatch PRO and gather monitoring data by using a local account on the storage system. This set of capabilities is purely for monitoring ApplianceWatch PRO basic functions and does not include any of the advanced features. This local Data ONTAP account will need to be assigned a customized role and contain the following capabilities.

Note: These are the minimum requirements for basic monitoring only and do not contain any active management, cmdlets, or SCVMM PRO functionality.

Table 3) Minimum capabilities for NetApp storage users for monitoring with ApplianceWatch PRO.

NetApp Storage   Capabilities

login-http-admin

api-system-get-version

api-system-get-info

api-system-get-vendor-info

api-cf-status

api-system-get-ontapi-version

api-vfiler-list-info

api-ems-autosupport-log

api-aggr-list-info

api-volume-list-info

api-lun-list-info

api-disk-list-info

api-storage-shelf-list-info

api-license-list-info

api-lun-map-list-info

api-volume-autosize-get

api-aggr-options-list-info

api-qtree-list, api-storage-shelf-environment-list-info

api-lun-get-space-reservation-info

api-volume-options-list-info

api-perf-object-get-instances

api-snmp-get

api-snapmirror-get-status

Example: Sample command to add/modify a custom role.

useradmin role modify scom-user-roles -a login-http-admin,api-system-get-version,api-system-get-info,api-system-get-vendor-info,api-cf-status,api-system-get-ontapi-version,api-vfiler-list-info,api-ems-autosupport-log,api-aggr-list-info,api-volume-list-info,api-lun-list-info,api-disk-list-info,api-storage-shelf-list-info,api-license-list-info,api-lun-map-list-info,api-volume-autosize-get,api-aggr-options-list-info,api-qtree-list,api-storage-shelf-environment-list-info,api-lun-get-space-reservation-info,api-volume-options-list-info,api-perf-object-get-instances,api-snmp-get,api-snapmirror-get-status

0 Kudos

waynehapu
‎2011-01-10 01:54 PM
In response to watan
6,099 Views

Much appreciated - thanks Watan.

WH

0 Kudos

regis_graf
‎2011-05-25 05:43 AM
In response to watan
6,098 Views

Hi Watan

Do you know when (or if it as already be released where) this AW best practice guide will be available ?

Thanks in advanced

Regis

0 Kudos

regis_graf
‎2011-05-25 06:27 AM
In response to watan
6,098 Views

Thanks a lot. I did not find anything using the internal search engine. I should have used google instead.

0 Kudos

watan
NetApp Alumni
‎2011-05-25 06:34 AM
In response to regis_graf
6,098 Views

Sure np.  Please let us know if you find any gaps or any areas we can improve in the docs.

0 Kudos
Announcements
All Community Forums
Public