https://community.netapp.com/t5/ONTAP-Discussions/Customized-RBAC-in-cDOT-8-2-3/m-p/106637#M21938 <P>Hello, comrades!</P><P>&nbsp;</P><P>So, our shop is relatively small, and I'm basically the only storage guy. Things are changing, though, and I need to pass off some lightweight, repeatable, and relatively low-impact duties to a handful of NOC folks. I don't want to give them the keys to the kingdom, so I want to cook up a new role for them that can do the stuff they need to do.&nbsp;<SPAN>Specifically they'll&nbsp;need to be able to run regular health checks (as our environment doesn't allow for automatic ASUP uploads), and to provision storage.&nbsp;</SPAN></P><P>&nbsp;</P><P>I get how to create a security role in cDOT (<STRONG>sec login role create -role NOC -access readonly -cmddirname "cluster peer show"&nbsp;</STRONG>or <STRONG>... -access all -cmddirname "volume modify"&nbsp;</STRONG>and stuff like that). What I'm not sure about&nbsp;whether I can allow this role to&nbsp;<STRONG>set diag&nbsp;</STRONG>and run diagnostic privileged commands, and if I can, how to do it? Is it as simple as&nbsp;<STRONG>... -access all -cmddirname "set"</STRONG>? What unintended consequences and privileges, if any, would I be conferring on this role if I did that?</P><P>&nbsp;</P><P>Thanks all!</P> Thu, 05 Jun 2025 04:08:25 GMT SMLocke 2025-06-05T04:08:25Z https://community.netapp.com/t5/ONTAP-Discussions/Customized-RBAC-in-cDOT-8-2-3/m-p/106637#M21938 <P>Hello, comrades!</P><P>&nbsp;</P><P>So, our shop is relatively small, and I'm basically the only storage guy. Things are changing, though, and I need to pass off some lightweight, repeatable, and relatively low-impact duties to a handful of NOC folks. I don't want to give them the keys to the kingdom, so I want to cook up a new role for them that can do the stuff they need to do.&nbsp;<SPAN>Specifically they'll&nbsp;need to be able to run regular health checks (as our environment doesn't allow for automatic ASUP uploads), and to provision storage.&nbsp;</SPAN></P><P>&nbsp;</P><P>I get how to create a security role in cDOT (<STRONG>sec login role create -role NOC -access readonly -cmddirname "cluster peer show"&nbsp;</STRONG>or <STRONG>... -access all -cmddirname "volume modify"&nbsp;</STRONG>and stuff like that). What I'm not sure about&nbsp;whether I can allow this role to&nbsp;<STRONG>set diag&nbsp;</STRONG>and run diagnostic privileged commands, and if I can, how to do it? Is it as simple as&nbsp;<STRONG>... -access all -cmddirname "set"</STRONG>? What unintended consequences and privileges, if any, would I be conferring on this role if I did that?</P><P>&nbsp;</P><P>Thanks all!</P> Thu, 05 Jun 2025 04:08:25 GMT https://community.netapp.com/t5/ONTAP-Discussions/Customized-RBAC-in-cDOT-8-2-3/m-p/106637#M21938 SMLocke 2025-06-05T04:08:25Z