https://community.netapp.com/t5/ONTAP-Discussions/Limitations-of-the-cmddirname-query-options-when-creating-new-roles/m-p/147791#M32905 <P>I have a customer who is interested in locking down some users to be able to access specific volumes and perform a limited set of operations on those volumes.</P> <P>&nbsp;</P> <P>Sounds like a perfect scenario to use a custom role.&nbsp; I've done some lab on demand testing to sound out the requirements.</P> <P>&nbsp;</P> <P>The requirements for the role are to have the following commands avaialble.</P> <P>&nbsp;</P> <P><SPAN>vol snapshot create</SPAN></P> <P><SPAN> vol snapshot delete </SPAN></P> <P><SPAN>vol snapshot show </SPAN></P> <P><SPAN>vol snapshot restore </SPAN></P> <P><SPAN>set -confirmations off</SPAN></P> <P>&nbsp;</P> <P><SPAN>So far so good.&nbsp; The second requirement is that of each user should only be able to perform the above options on a specific set of volumes.&nbsp; To make it easy lets call them</SPAN></P> <P>&nbsp;</P> <P><SPAN>produser - accessing volumes prod*</SPAN></P> <P><SPAN>testuser - accessing volumes test*</SPAN></P> <P><SPAN>devuser - accessing volumes dev*</SPAN></P> <P>&nbsp;</P> <P><SPAN>The issue I've hit is with the snap restore command set.</SPAN></P> <P>&nbsp;</P> <P>I can create a role with the following</P> <P>sec login role create -role prodrole -cmddirname volume -query "-volume prod*" -access all</P> <P>&nbsp;</P> <P>But this doesn't include the volume snapshot restore commands&nbsp; So we add the follow</P> <P>sec login role create -role prodrole -cmddirname volume snapshot -query "-volume prod*" -access all</P> <P>&nbsp;</P> <P>again this doesn't include the volume snapshot restore commands.</P> <P>&nbsp;</P> <P>So when we attempt to add this final extentionto the allowed commands</P> <P>&nbsp;</P> <P>sec login role create -role prodrole -cmddirname volume snapshot restore&nbsp; -query "-volume prod*" -access all&nbsp;</P> <P>&nbsp;</P> <P>"which includes the snapshot promote command"</P> <P>&nbsp;</P> <P>The wildcard on the query is rejected.&nbsp; So we can only add a single volume here, with multiple volumes required.&nbsp; Is there way to list a set of volumes we can allow the user to perform restores for?&nbsp; Pipe and command seperation doen't seem to apply.&nbsp; I can't see anything in the documentation that hints at adding mulitple valid queries.</P> <P>&nbsp;</P> <P>The prod, test and dev volumes are on the same vserver so to get the granularity we require if possible we'ed need to lock down the command</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 04 Jun 2025 12:39:22 GMT STEVEWILLSQ 2025-06-04T12:39:22Z https://community.netapp.com/t5/ONTAP-Discussions/Limitations-of-the-cmddirname-query-options-when-creating-new-roles/m-p/147791#M32905 <P>I have a customer who is interested in locking down some users to be able to access specific volumes and perform a limited set of operations on those volumes.</P> <P>&nbsp;</P> <P>Sounds like a perfect scenario to use a custom role.&nbsp; I've done some lab on demand testing to sound out the requirements.</P> <P>&nbsp;</P> <P>The requirements for the role are to have the following commands avaialble.</P> <P>&nbsp;</P> <P><SPAN>vol snapshot create</SPAN></P> <P><SPAN> vol snapshot delete </SPAN></P> <P><SPAN>vol snapshot show </SPAN></P> <P><SPAN>vol snapshot restore </SPAN></P> <P><SPAN>set -confirmations off</SPAN></P> <P>&nbsp;</P> <P><SPAN>So far so good.&nbsp; The second requirement is that of each user should only be able to perform the above options on a specific set of volumes.&nbsp; To make it easy lets call them</SPAN></P> <P>&nbsp;</P> <P><SPAN>produser - accessing volumes prod*</SPAN></P> <P><SPAN>testuser - accessing volumes test*</SPAN></P> <P><SPAN>devuser - accessing volumes dev*</SPAN></P> <P>&nbsp;</P> <P><SPAN>The issue I've hit is with the snap restore command set.</SPAN></P> <P>&nbsp;</P> <P>I can create a role with the following</P> <P>sec login role create -role prodrole -cmddirname volume -query "-volume prod*" -access all</P> <P>&nbsp;</P> <P>But this doesn't include the volume snapshot restore commands&nbsp; So we add the follow</P> <P>sec login role create -role prodrole -cmddirname volume snapshot -query "-volume prod*" -access all</P> <P>&nbsp;</P> <P>again this doesn't include the volume snapshot restore commands.</P> <P>&nbsp;</P> <P>So when we attempt to add this final extentionto the allowed commands</P> <P>&nbsp;</P> <P>sec login role create -role prodrole -cmddirname volume snapshot restore&nbsp; -query "-volume prod*" -access all&nbsp;</P> <P>&nbsp;</P> <P>"which includes the snapshot promote command"</P> <P>&nbsp;</P> <P>The wildcard on the query is rejected.&nbsp; So we can only add a single volume here, with multiple volumes required.&nbsp; Is there way to list a set of volumes we can allow the user to perform restores for?&nbsp; Pipe and command seperation doen't seem to apply.&nbsp; I can't see anything in the documentation that hints at adding mulitple valid queries.</P> <P>&nbsp;</P> <P>The prod, test and dev volumes are on the same vserver so to get the granularity we require if possible we'ed need to lock down the command</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 04 Jun 2025 12:39:22 GMT https://community.netapp.com/t5/ONTAP-Discussions/Limitations-of-the-cmddirname-query-options-when-creating-new-roles/m-p/147791#M32905 STEVEWILLSQ 2025-06-04T12:39:22Z https://community.netapp.com/t5/ONTAP-Discussions/Limitations-of-the-cmddirname-query-options-when-creating-new-roles/m-p/148717#M33096 <P>Working with Netapp, this has been logged as the following BURT.</P> <P>&nbsp;</P> <P><A href="https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&amp;Display=1237037" target="_blank">https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&amp;Display=1237037</A></P> Wed, 05 Jun 2019 12:21:27 GMT https://community.netapp.com/t5/ONTAP-Discussions/Limitations-of-the-cmddirname-query-options-when-creating-new-roles/m-p/148717#M33096 STEVEWILLSQ 2019-06-05T12:21:27Z