https://community.netapp.com/t5/ONTAP-Rest-API-Discussions/Debug-permission-issues-with-POST-storage-volume/m-p/166948#M200 <P>I tried recreating your scenario to see if I could see the same. I wasn't successful in recreating the problem.</P><P>&nbsp;</P><P>As far as debugging goes, there are a few steps I would try in general to figure out where and why a request might fail. I've listed these at increasing levels of diagnostic necessity as well as difficulty:</P><P>&nbsp;</P><P>1. Use curl or Postman or some client that will easily show you the response headers and body</P><LI-CODE lang="markup">~/$ curl -iku storage https://xx.xx.xx.xx/api/storage/volumes Enter host password for user 'storage': HTTP/1.1 401 Unauthorized Date: Tue, 18 May 2021 16:57:52 GMT Server: Apache X-Content-Type-Options: nosniff Cache-Control: no-cache,no-store,must-revalidate WWW-Authenticate: Basic realm="ONTAP" Content-Length: 65 Content-Type: text/html; charset=iso-8859-1 {"error":{"code":"6691623", "message":"User is not authorized."}}~/$ ~/$</LI-CODE><P>2. Look at the web server logs in ONTAP to see if there are any error messages:</P><LI-CODE lang="markup">[Tue May 18 14:04:51.521561 2021 +0000] [dot:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] [vserver ID 2] [service rest] Authentication denied for user storage, application http [Tue May 18 14:04:55.538032 2021 +0000] [auth_basic:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] AH01617: user storage: authentication failure for "/api/storage/volumes": Password Mismatch</LI-CODE><P>3. Trace the API through the server and compare the trace to a call you know works:</P><LI-CODE lang="markup">~/$ curl -iku storage -H "X-Trace-Threshold: 0" https://xx.xx.xx.xx/api/storage/aggregates Enter host password for user 'storage': HTTP/1.1 403 Forbidden Date: Tue, 18 May 2021 17:00:53 GMT Server: libzapid-httpd X-Content-Type-Options: nosniff Cache-Control: no-cache,no-store,must-revalidate Content-Length: 41092 Content-Type: application/hal+json { "error": { "message": "not authorized for that command", "code": "6" }, "trace_output": " TRACE RESULTS --------------------------------------------------------------------------------- Node Thread Time(s) Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs -------------- ------ -------- --------- --------- ----------- ----------- ------ mycluster main 0.001635 54040 54136 178392 124352 1032 --------------------------------------------------------------------------------- TOTAL 0.001635 54040 54136 178392 124352 1032 %Parent / Label Method Dst Num !Ok Time(us) Max Min Avg Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs ------------------------------------------------------- --------------------- --- --- --- -------- ---- ---- ---- --------- --------- ----------- ----------- ------ 100% REST svr 1 0 1635 1635 1635 1635 54040 54136 178392 124352 1032 .. 6% *unaccounted* 1 0 113 - - 113 12360 - 17816 5456 39 .. 2% sequential_identifier get svr 1 0 46 46 46 46 0 2016 2688 2688 8 &lt; snipped for brevity &gt; Latency of printTrace: 0.003956s. Memory: 98336 net used, 163872 max, 4648624 allocated, 4550288 freed, 7396 allocations. " }~/$ ~/$</LI-CODE><P>&nbsp;</P><P>Hopefully that gives you somewhere to start looking.</P> Tue, 18 May 2021 17:19:42 GMT RobertBlackhart 2021-05-18T17:19:42Z https://community.netapp.com/t5/ONTAP-Rest-API-Discussions/Debug-permission-issues-with-POST-storage-volume/m-p/166939#M199 <P>Hi guys,</P><P>&nbsp;</P><P>I would like to automate volume cloning by RestAPI.&nbsp; It should not run as admin, only with needed permission on SVM level.</P><P>Following rest-role is created:</P><P>&nbsp;</P><P>Users are defines as follows:</P><LI-CODE lang="markup">security login show -user-or-group-name DOM\storage Vserver: Cluster1 Second User/Group Authentication Acct Authentication Name Application Method Role Name Locked Method -------------- ----------- ------------- ---------------- ------ -------------- DOM\storage http domain readonly - none Vserver: SVM1 Second User/Group Authentication Acct Authentication Name Application Method Role Name Locked Method -------------- ----------- ------------- ---------------- ------ -------------- DOM\storage http domain ExchangeRestore - none </LI-CODE><P>&nbsp;</P><P>Rest Role:</P><LI-CODE lang="markup">security login rest-role show -vserver SVM1 -role ExchangeRestore Role Access Vserver Name API Level ---------- ------------- ------------------- ------ SVM1 ExchangeRestore /api/protocols/san readonly /api/protocols/san/lun-maps all /api/storage readonly /api/storage/luns all /api/storage/volumes all /api/svm readonly </LI-CODE><P>&nbsp;</P><P>It works for Read of LUN / Volume / Snapshot.&nbsp;It doesn't work for Volume POST operation (vol clone).&nbsp;</P><P>In this case, an log-in window in the browser opens and asking for login. There are somewhere permissions missing.</P><P>&nbsp;</P><P>Is there a way to debug the RestAPI?</P><P>&nbsp;</P><P>Marcis</P> Wed, 04 Jun 2025 10:24:28 GMT https://community.netapp.com/t5/ONTAP-Rest-API-Discussions/Debug-permission-issues-with-POST-storage-volume/m-p/166939#M199 marcusgross 2025-06-04T10:24:28Z https://community.netapp.com/t5/ONTAP-Rest-API-Discussions/Debug-permission-issues-with-POST-storage-volume/m-p/166948#M200 <P>I tried recreating your scenario to see if I could see the same. I wasn't successful in recreating the problem.</P><P>&nbsp;</P><P>As far as debugging goes, there are a few steps I would try in general to figure out where and why a request might fail. I've listed these at increasing levels of diagnostic necessity as well as difficulty:</P><P>&nbsp;</P><P>1. Use curl or Postman or some client that will easily show you the response headers and body</P><LI-CODE lang="markup">~/$ curl -iku storage https://xx.xx.xx.xx/api/storage/volumes Enter host password for user 'storage': HTTP/1.1 401 Unauthorized Date: Tue, 18 May 2021 16:57:52 GMT Server: Apache X-Content-Type-Options: nosniff Cache-Control: no-cache,no-store,must-revalidate WWW-Authenticate: Basic realm="ONTAP" Content-Length: 65 Content-Type: text/html; charset=iso-8859-1 {"error":{"code":"6691623", "message":"User is not authorized."}}~/$ ~/$</LI-CODE><P>2. Look at the web server logs in ONTAP to see if there are any error messages:</P><LI-CODE lang="markup">[Tue May 18 14:04:51.521561 2021 +0000] [dot:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] [vserver ID 2] [service rest] Authentication denied for user storage, application http [Tue May 18 14:04:55.538032 2021 +0000] [auth_basic:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] AH01617: user storage: authentication failure for "/api/storage/volumes": Password Mismatch</LI-CODE><P>3. Trace the API through the server and compare the trace to a call you know works:</P><LI-CODE lang="markup">~/$ curl -iku storage -H "X-Trace-Threshold: 0" https://xx.xx.xx.xx/api/storage/aggregates Enter host password for user 'storage': HTTP/1.1 403 Forbidden Date: Tue, 18 May 2021 17:00:53 GMT Server: libzapid-httpd X-Content-Type-Options: nosniff Cache-Control: no-cache,no-store,must-revalidate Content-Length: 41092 Content-Type: application/hal+json { "error": { "message": "not authorized for that command", "code": "6" }, "trace_output": " TRACE RESULTS --------------------------------------------------------------------------------- Node Thread Time(s) Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs -------------- ------ -------- --------- --------- ----------- ----------- ------ mycluster main 0.001635 54040 54136 178392 124352 1032 --------------------------------------------------------------------------------- TOTAL 0.001635 54040 54136 178392 124352 1032 %Parent / Label Method Dst Num !Ok Time(us) Max Min Avg Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs ------------------------------------------------------- --------------------- --- --- --- -------- ---- ---- ---- --------- --------- ----------- ----------- ------ 100% REST svr 1 0 1635 1635 1635 1635 54040 54136 178392 124352 1032 .. 6% *unaccounted* 1 0 113 - - 113 12360 - 17816 5456 39 .. 2% sequential_identifier get svr 1 0 46 46 46 46 0 2016 2688 2688 8 &lt; snipped for brevity &gt; Latency of printTrace: 0.003956s. Memory: 98336 net used, 163872 max, 4648624 allocated, 4550288 freed, 7396 allocations. " }~/$ ~/$</LI-CODE><P>&nbsp;</P><P>Hopefully that gives you somewhere to start looking.</P> Tue, 18 May 2021 17:19:42 GMT https://community.netapp.com/t5/ONTAP-Rest-API-Discussions/Debug-permission-issues-with-POST-storage-volume/m-p/166948#M200 RobertBlackhart 2021-05-18T17:19:42Z