https://community.netapp.com/t5/ONTAP-Discussions/Restricting-permissions-to-SVMs/m-p/160605#M36702 <P>Thanks,</P> <P><SPAN>I can revoke the cluster level access if that's the case - what's the simplest way to create all access admin role on SVM level?</SPAN></P> <P><SPAN>G</SPAN></P> Fri, 23 Oct 2020 09:08:35 GMT ppadmgeo1 2020-10-23T09:08:35Z https://community.netapp.com/t5/ONTAP-Discussions/Restricting-permissions-to-SVMs/m-p/160589#M36698 <P>We are required to manage devices using AD credentials and normally this is how it is setup(domain-tunnel + we grant access on cluster level)<BR />vserver active-directory create -vserver SVM1 -account-name SVM1 -domain Domain_A -ou CN=Computers<BR />security login domain-tunnel create -vserver SVM1<BR />security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application http -authmethod domain -role admin<BR />security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application ontapi -authmethod domain -role admin<BR />security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application ssh -authmethod domain -role admin</P> <P>&nbsp;</P> <P>What I need to do now is segregate a newly created SVM9 so that:<BR />- main "admin" account should be able to manage SVM9 as well as all others SVMs - this is already in place and inherited<BR />- Domain_B\NetApp_AD_Admin_Group should be able to manage SVM9 - I've already joined it to the domain and it looks like I need to create an admin role on SVM level but it would not let me do something like DEFAULT and all - what's the simplest way to create all access admin role on SVM level?<BR />- Domain_A\NetApp_AD_Admin_Group should have no access - finally, can I grant none permissions to this group?</P> <P>Is that possible?</P> Wed, 04 Jun 2025 10:47:44 GMT https://community.netapp.com/t5/ONTAP-Discussions/Restricting-permissions-to-SVMs/m-p/160589#M36698 ppadmgeo1 2025-06-04T10:47:44Z https://community.netapp.com/t5/ONTAP-Discussions/Restricting-permissions-to-SVMs/m-p/160597#M36700 <P>Hi,</P> <P>&nbsp;</P> <P>A cluster admin has access to manage all the SVMs and cannot be denied to some of them.</P> <P>&nbsp;</P> <P>Gidi</P> Fri, 23 Oct 2020 07:21:07 GMT https://community.netapp.com/t5/ONTAP-Discussions/Restricting-permissions-to-SVMs/m-p/160597#M36700 GidonMarcus 2020-10-23T07:21:07Z https://community.netapp.com/t5/ONTAP-Discussions/Restricting-permissions-to-SVMs/m-p/160605#M36702 <P>Thanks,</P> <P><SPAN>I can revoke the cluster level access if that's the case - what's the simplest way to create all access admin role on SVM level?</SPAN></P> <P><SPAN>G</SPAN></P> Fri, 23 Oct 2020 09:08:35 GMT https://community.netapp.com/t5/ONTAP-Discussions/Restricting-permissions-to-SVMs/m-p/160605#M36702 ppadmgeo1 2020-10-23T09:08:35Z https://community.netapp.com/t5/ONTAP-Discussions/Restricting-permissions-to-SVMs/m-p/160607#M36704 <P>Hello,</P> <P>&nbsp;</P> <P>You should be able to create a role and assigned that role to the user when creating it on that specific SVM9.</P> <P>A command like below:</P> <P>&nbsp;</P> <P>security login role create -role &lt;rolename&gt; -vserver SVM9 -access all&nbsp;-cmddirname Default</P> <P><A href="https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2Fsecurity__login__role__create.html" target="_blank">https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2Fsecurity__login__role__create.html</A></P> <P>Then you use the role created to assign to the user once you created (security login create)</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Fri, 23 Oct 2020 09:50:30 GMT https://community.netapp.com/t5/ONTAP-Discussions/Restricting-permissions-to-SVMs/m-p/160607#M36704 hmoubara 2020-10-23T09:50:30Z